ValidateAntiForgeryToken

Remark :

Run this view, url will be open as: http://localhost:51506/Account/Register

Now, suppose you are a hacker and you know the URL from where you can register user in CrossSite_RequestForgery application. Now, you created a Forgery site as Attacker_Application and just put the same URL in post method.

@using (Html.BeginForm("Register", "Account", FormMethod.Post, new { @class = "form-horizontal", role = "form" })) { @*@Html.AntiForgeryToken()*@ // <h4>Create a new account.</h4> }

1 2 3 4 5 6 7 8

@using (Html.BeginForm("Register", "Account", FormMethod.Post, new { @class = "form-horizontal", role = "form" })) {     @*@Html.AntiForgeryToken()*@   //  <h4>Create a new account.</h4>    }

controller

[AllowAnonymous] public ActionResult Register() { return View(); } // // POST: /Account/Register [HttpPost] [AllowAnonymous] //[ValidateAntiForgeryToken] public async Task<ActionResult> Register(RegisterViewModel model) { return View(model); }

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

[AllowAnonymous]         public ActionResult Register()         {             return View();         }           //         // POST: /Account/Register         [HttpPost]         [AllowAnonymous]         //[ValidateAntiForgeryToken]         public async Task<ActionResult> Register(RegisterViewModel model)         {                          return View(model);         }

<form method="post" action="http://localhost:51506/Account/Register"> <fieldset> <legend>Registration Form</legend> <ol> <li> @Html.LabelFor(m => m.UserName) @Html.TextBoxFor(m => m.UserName) </li> <li> @Html.LabelFor(m => m.Password) @Html.PasswordFor(m => m.Password) </li> <li> @Html.LabelFor(m => m.ConfirmPassword) @Html.PasswordFor(m => m.ConfirmPassword) </li> </ol> <input type="submit" value="Register" /> </fieldset> </form>

1 2 3 4 5 6 7 8 9 10 11

<form method="post" action="http://localhost:51506/Account/Register">       <fieldset>           <legend>Registration Form</legend>           <ol>               <li> @Html.LabelFor(m => m.UserName) @Html.TextBoxFor(m => m.UserName) </li>               <li> @Html.LabelFor(m => m.Password) @Html.PasswordFor(m => m.Password) </li>               <li> @Html.LabelFor(m => m.ConfirmPassword) @Html.PasswordFor(m => m.ConfirmPassword) </li>           </ol> <input type="submit" value="Register" /> </fieldset>   </form>

<form id="aspnetForm" action="/article/purpose-of-validateantiforgerytoken-in-mvc-application/" method="post" data-integralas-id-75abcb8a-c2fb-25b1-46c0-384560e72393=""> <div class="b-container page-body"> <div class="b-row"> <div class="content"> <div class="user-content"> <div class="PaddingLeft5" id="div2">

1 2 3

<form id="aspnetForm" action="/article/purpose-of-validateantiforgerytoken-in-mvc-application/" method="post" data-integralas-id-75abcb8a-c2fb-25b1-46c0-384560e72393=""> <div class="b-container page-body"> <div class="b-row"> <div class="content"> <div class="user-content"> <div class="PaddingLeft5" id="div2">