Remark :
Run this view, url will be open as: http://localhost:51506/Account/Register
Now, suppose you are a hacker and you know the URL from where you can register user in CrossSite_RequestForgery application. Now, you created a Forgery site as Attacker_Application and just put the same URL in post method.
1 2 3 4 5 6 7 8 |
@using (Html.BeginForm("Register", "Account", FormMethod.Post, new { @class = "form-horizontal", role = "form" })) { @*@Html.AntiForgeryToken()*@ // <h4>Create a new account.</h4> } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[AllowAnonymous] public ActionResult Register() { return View(); } // // POST: /Account/Register [HttpPost] [AllowAnonymous] //[ValidateAntiForgeryToken] public async Task<ActionResult> Register(RegisterViewModel model) { return View(model); } |
1 2 3 4 5 6 7 8 9 10 11 |
<form method="post" action="http://localhost:51506/Account/Register"> <fieldset> <legend>Registration Form</legend> <ol> <li> @Html.LabelFor(m => m.UserName) @Html.TextBoxFor(m => m.UserName) </li> <li> @Html.LabelFor(m => m.Password) @Html.PasswordFor(m => m.Password) </li> <li> @Html.LabelFor(m => m.ConfirmPassword) @Html.PasswordFor(m => m.ConfirmPassword) </li> </ol> <input type="submit" value="Register" /> </fieldset> </form> |
1 2 3 |
<form id="aspnetForm" action="/article/purpose-of-validateantiforgerytoken-in-mvc-application/" method="post" data-integralas-id-75abcb8a-c2fb-25b1-46c0-384560e72393=""> <div class="b-container page-body"> <div class="b-row"> <div class="content"> <div class="user-content"> <div class="PaddingLeft5" id="div2"> |