Skip to content

lokeshsp/Daishi.Armor.WebFramework

BranchesTags
 
 

Repository files navigation

Image of insidethecpu

ASP.NET ARMOR Web Framework

Join the chat at https://gitter.im/daishisystems/Daishi.Armor.WebFramework Build status NuGet

As seen on visualstudiomagazine.com.

The Encrypted Token Pattern is a defence mechanism against Cross Site Request Forgery (CSRF) attacks, and is an alternative to its sister-patterns; Synchroniser Token, and Double Submit Cookie. The ARMOR Web Framework provides a means to leverage this technique in repelling CSRF attacks against ASP.NET applications.

Click here for an in-depth tutorial on protecting ASP.NET applications from CSRF attacks using this framework. Image of ARMOR

Installation

PM> Install-Package Daishi.Armor.WebFramework

Sample Code

Generating Keys

ARMOR requires both encryption and hashing keys, in Base64 format. You can generate both keys using the code below.

Note: Key-generation, rotation, and management are out-of-band topics in terms of leveraging ARMOR.

byte[] encryptionKey = new byte[32];
byte[] hashingKey = new byte[32];
 
using (var provider = new RNGCryptoServiceProvider()) {
    provider.GetBytes(encryptionKey);
    provider.GetBytes(hashingKey);
}

Adding Fortification Filters

Add the following filter to ASP.NET Web API applications

config.Filters.Add(new WebApiArmorFortifyFilter());

Add the following filter to ASP.NET MVC applications

public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
    filters.Add(new MvcArmorFortifyFilter());
}

Protecting your Endpoints

Add the following attribute to ASP.NET Web API endpoints

[WebApiArmorAuthorize]

Add the following attribute to ASP.NET MVC endpoints

[MvcArmorAuthorize]

Integrating with your Authentication Mechanism

Assuming that your application leverages Claims-based authentication, ARMOR will automatically read the UserID claim as follows:

public override bool TryRead(out IEnumerable<Claim> identity) {
    var claims = new List<Claim>();
    identity = claims;
 
    var claimsIdentity = principal.Identity as ClaimsIdentity;
    if (claimsIdentity == null) return false;
 
    var subClaim = claimsIdentity.Claims.SingleOrDefault(c => c.Type.Equals(“UserId”));
    if (subClaim == null) return false;
 
    claims.Add(subClaim);
    return true;
}

If your application leverages any other form of authentication mechanism, simply create your own implementation of IdentityReader and override the TryRead method appropriately in order to return the logged-in UserID in Claim-based format.

Contact the Developer

Please reach out and contact me for questions, suggestions, or to just talk tech in general.

RSSTwitterLinkedInGoogle+YouTube

About

Protect ASP.NET Applications Against CSRF Attacks

insidethecpu.com/2015/04/10/protecting-asp-net-applications-against-csrf-attacks/

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • C# 98.3%
  • JavaScript 1.7%