{"id":773,"date":"2016-09-01T09:27:50","date_gmt":"2016-09-01T06:27:50","guid":{"rendered":"https:\/\/gokhan-gokalp.com\/?p=773"},"modified":"2016-09-01T09:32:26","modified_gmt":"2016-09-01T06:32:26","slug":"asp-net-web-apida-cross-site-request-forgery-csrf-saldiri-guvenligi","status":"publish","type":"post","link":"https:\/\/gokhan-gokalp.com\/tr\/asp-net-web-apida-cross-site-request-forgery-csrf-saldiri-guvenligi\/","title":{"rendered":"Asp.Net Web API’da Cross-Site Request Forgery (CSRF) Sald\u0131r\u0131 G\u00fcvenli\u011fi"},"content":{"rendered":"

Merhaba arkada\u015flar.<\/p>\n

Gelen sorular \u00fczerine bu yaz\u0131mda\u00a0sizlerle Asp.Net Web API’da Cross-Site Request Forgery(CSRF)<\/strong> sald\u0131r\u0131lar\u0131na kar\u015f\u0131 g\u00fcvenli\u011fi nas\u0131l ele\u00a0alabiliriz’i k\u00fc\u00e7\u00fck \u00e7apta anlatmaya \u00e7al\u0131\u015faca\u011f\u0131m. Zaten bir \u00e7o\u011fumuzun Asp.Net MVC<\/strong>‘den AntiForgeryToken\u00a0<\/strong>ile a\u015fina oldu\u011fu bir konu olabilir. AntiForgeryToken\u00a0implementasyonunu Web API baca\u011f\u0131nda ise custom olarak kendimiz ger\u00e7ekle\u015ftirece\u011fiz.<\/p>\n

\"csrf\"<\/a><\/p>\n

Dilerseniz \u00f6ncelikle CSRF hakk\u0131ndaki bilgimizi biraz\u00a0g\u00fcncelleyelim.<\/p>\n

CSRF ata\u011f\u0131 sald\u0131rgan taraf\u0131ndan son kullan\u0131c\u0131n\u0131n kulland\u0131\u011f\u0131 uygulamada, iste\u011fi d\u0131\u015f\u0131nda i\u015flemler yapt\u0131r\u0131labilmesidir\u00a0diyebiliriz.<\/p><\/blockquote>\n

Bir \u00fcstteki resme bakt\u0131\u011f\u0131m\u0131zda ise burada Attacker’\u0131n Victim’a bir link g\u00f6nderdi\u011fini ve burada bir form submit i\u015fleminin yap\u0131ld\u0131\u011f\u0131n\u0131 (iste\u011finin d\u0131\u015f\u0131nda) g\u00f6r\u00fcyoruz. Sonras\u0131nda ise Attacker’\u0131n iste\u011fi do\u011frultusunda ilgili Response al\u0131nd\u0131ktan sonra Bank Server’a Victim’\u0131n \u00a0data+cookie gibi ge\u00e7erli session bilgileri ile g\u00f6nderilebildi\u011fini\u00a0g\u00f6r\u00fcyoruz.\u00a0Biraz u\u00e7 bir \u00f6rnek olsada CSRF sald\u0131r\u0131lar\u0131n\u0131n i\u015fleyi\u015f bi\u00e7imi bu \u015fekildedir diyebiliriz. Denk\u00a0gelinebilmesi biraz zor bir a\u00e7\u0131k olsa da gerekti\u011fi durumlarda \u00f6nlemini almak iyi olacakt\u0131r.<\/p>\n

Yukar\u0131daki u\u00e7\u00a0\u00f6rne\u011fimizde bulunan ak\u0131\u015fta, son kullan\u0131c\u0131ya sald\u0131rgan taraf\u0131ndan t\u0131klat\u0131lan en basitinden \u00f6rnek form’a bakmak gerekirse de:<\/p>\n

<h1>Fake Bank Form<\/h1>\r\n  <form action=\"http:\/\/www.foobank.com\/api\/transfer\" method=\"post\">\r\n    <input type=\"hidden\" name=\"SessionId\" value=\"123456\" \/>\r\n    <input type=\"hidden\" name=\"Amount\" value=\"100\" \/>\r\n  <input type=\"submit\" value=\"Transfer\"\/>\r\n<\/form><\/pre>\n
1)\u00a0AntiForgeryToken mant\u0131\u011f\u0131 nas\u0131l \u00e7al\u0131\u015f\u0131r?<\/h4>\n
Client taraf\u0131nda ilgili form’a \u00f6zel encrypted bir AntiForgeryToken olu\u015fturulur ve bir adette cookie i\u00e7erisinde olu\u015fturulur. Bu token MVC taraf\u0131nda\u00a0a\u015fa\u011f\u0131daki kod sat\u0131r\u0131 ile olu\u015fturulmaktad\u0131r.<\/p>\n
@Html.AntiForgeryToken()<\/pre>\n
\u0130lgili form POST\u00a0edildi\u011finde ise AntiForgeryToken server taraf\u0131nda decrypt edilerek cookie’deki de\u011fer ile kar\u015f\u0131la\u015ft\u0131r\u0131l\u0131r ve validation i\u015flemlerinden ge\u00e7irilir. Bu sayede Cross-Site istekleri\u00a0engellenmi\u015f olunur.<\/p>\n
2) Asp.Net Web API taraf\u0131nda AntiForgeryToken implementasyonu<\/h4>\n
Implementasyon i\u015flemini Web API’\u0131n filter’lar\u0131 ile ger\u00e7ekle\u015ftirece\u011fiz. Bunun i\u00e7in\u00a0IAuthorizationFilter<\/strong>\u00a0interface’inden yararlanaca\u011f\u0131z. Implementasyona ba\u015flamadan \u00f6nce Nuget Package Manager \u00fczerinden “Microsoft.AspNet.WebPages” paketini y\u00fcklememiz gerekmektedir. Bu paket yard\u0131m\u0131 ile “System.Web.Helpers” namespace’i alt\u0131nda bulunan, AntiForgery<\/strong> s\u0131n\u0131f\u0131n\u0131 kullanabilece\u011fiz.<\/p>\n
ValidateHttpAntiForgeryTokenAttribute\u00a0<\/strong>isminde bir class olu\u015ftural\u0131m ve a\u015fa\u011f\u0131daki gibi kodlayal\u0131m.<\/p>\n
using System;\r\nusing System.Net;\r\nusing System.Net.Http;\r\nusing System.Threading;\r\nusing System.Threading.Tasks;\r\nusing System.Web.Helpers;\r\nusing System.Web.Http.Controllers;\r\nusing System.Web.Http.Filters;\r\n\r\nnamespace AspNetWebAPIAntiForgeryToken.Filters\r\n{\r\n    [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class)]\r\n    public sealed class ValidateHttpAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter\r\n    {\r\n        public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation)\r\n        {\r\n            try\r\n            {\r\n                AntiForgery.Validate();\r\n            }\r\n            catch(Exception ex)\r\n            {\r\n                \/\/ Loglama i\u015flemleri yap\u0131lmal\u0131d\u0131r\r\n\r\n                actionContext.Response = new HttpResponseMessage\r\n                {\r\n                    StatusCode = HttpStatusCode.Forbidden\r\n                };\r\n\r\n                return FromResult(actionContext.Response);\r\n            }\r\n\r\n            return continuation();\r\n        }\r\n\r\n        private Task<HttpResponseMessage> FromResult(HttpResponseMessage result)\r\n        {\r\n            var taskCompletionSource = new TaskCompletionSource<HttpResponseMessage>();\r\n\r\n            taskCompletionSource.SetResult(result);\r\n\r\n            return taskCompletionSource.Task;\r\n        }\r\n    }\r\n}<\/pre>\n
Olu\u015fturmu\u015f oldu\u011fumuz attribute i\u00e7erisinde\u00a0ExecuteAuthorizationFilterAsync<\/strong> method’undan yararlanarak, i\u00e7erisinde AntiForgery.Validate()<\/strong> method’unu \u00e7a\u011f\u0131r\u0131yoruz. Bu method kendisine g\u00f6nderilen AntiForgeryToken’\u0131\u00a0decrypt i\u015fleminden ge\u00e7irerek, validation i\u015flemlerini ger\u00e7ekle\u015ftirmektedir. E\u011fer validation i\u015flemlerinden ge\u00e7emezse bu noktada exception’a d\u00fc\u015fmektedir.<\/p>\n
\u015eimdi bir TestController<\/strong> olu\u015ftural\u0131m ve olu\u015fturmu\u015f oldu\u011fumuz attribute’\u00fc a\u015fa\u011f\u0131daki gibi kullanal\u0131m.<\/p>\n
using System.Net;\r\nusing System.Net.Http;\r\nusing System.Web.Http;\r\nusing AspNetWebAPIAntiForgeryToken.Filters;\r\n\r\nnamespace AspNetWebAPIAntiForgeryToken.Controllers\r\n{\r\n    public class TestController : ApiController\r\n    {\r\n        [ValidateHttpAntiForgeryToken]\r\n        public HttpResponseMessage Post()\r\n        {\r\n            return Request.CreateResponse(HttpStatusCode.OK);\r\n        }\r\n    }\r\n}<\/pre>\n
Asp.Net Web API taraf\u0131 \u015fuan CSRF i\u00e7in haz\u0131r durumda. Test i\u015flemlerimizi ger\u00e7ekle\u015ftirebilmemiz i\u00e7in, i\u00e7erisinde POST i\u015flemi ger\u00e7ekle\u015ftirecek olan\u00a0basit bir form’a sahip MVC uygulamas\u0131 olu\u015ftural\u0131m.<\/p>\n
Form’u a\u015fa\u011f\u0131daki gibi d\u00fczenleyelim.<\/p>\n
<form action=\"http:\/\/localhost:57955\/api\/test\" method=\"post\">\r\n    @Html.AntiForgeryToken()\r\n\r\n    <div class=\"form-horizontal\">\r\n        <div class=\"form-group\">\r\n            Email\r\n            <div class=\"col-md-10\">\r\n                <input type=\"text\" class=\"form-control\" \/>\r\n            <\/div>\r\n        <\/div>\r\n\r\n        <div class=\"form-group\">\r\n            New Password\r\n            <div class=\"col-md-10\">\r\n                <input type=\"text\" class=\"form-control\" \/>\r\n            <\/div>\r\n        <\/div>\r\n\r\n        <div class=\"form-group\">\r\n            <div class=\"col-md-offset-2 col-md-10\">\r\n                <input type=\"submit\" value=\"Complete\" class=\"btn btn-default\" \/>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div>\r\n<\/form><\/pre>\n
Burada bizim i\u00e7in \u00f6nemli olan sadece AntiForgeryToken’\u0131 olu\u015fturacak olan “Html.AntiForgeryToken()” k\u0131sm\u0131d\u0131r. MVC uygulamas\u0131n\u0131 \u00e7al\u0131\u015ft\u0131r\u0131p kaynak kodu g\u00f6r\u00fcnt\u00fcledi\u011fimizde\u00a0ise, her seferinde farkl\u0131 bir token \u00fcretti\u011fini de g\u00f6rebiliriz.<\/p>\n
<input name=\"__RequestVerificationToken\" type=\"hidden\" value=\"EC5S9Ew_yO9NWtprV9MoDY9-FVsNnbeRXB7glpC3-8qeR7AbA_xvQ-AdsxnIga5an8Pda4eAgG8V9QaeZswvxbcxwhI1\" \/><\/pre>\n
Yukar\u0131daki\u00a0formun POST edilece\u011fi adres, local’imdeki Web API’\u0131 host etti\u011fim “http:\/\/localhost:57955\/api\/test” adresidir. Sizde bu k\u0131sm\u0131 kendi local adresiniz ile de\u011fi\u015ftirebilirsiniz.<\/p>\n
\u0130lk denememizi yapabilmek ad\u0131na dilerseniz her iki projeyi de ayn\u0131 anda \u00e7al\u0131\u015ft\u0131ral\u0131m. \u00c7al\u0131\u015ft\u0131rd\u0131ktan sonra Web API k\u0131sm\u0131ndaki geli\u015ftirmi\u015f oldu\u011fumuz token’\u0131n “AntiForgery.Validate()” sat\u0131r\u0131na bir break point koyal\u0131m ve MVC uygulamas\u0131ndaki form’da submit i\u015flemini ger\u00e7ekle\u015ftirelim. Bakal\u0131m token validation i\u015flemlerinden ge\u00e7ebilecek mi?<\/p>\n
\"antiforgerytoken_1\"<\/a><\/p>\n
Ups! validation i\u015flemi ger\u00e7ekle\u015femedi. Bunun sebebi ise olu\u015fturulan AntiForgeryToken’lar “machineKey” i\u00e7erisindeki “validation” ve “decryption” key bilgilerine g\u00f6re olu\u015fturulmaktad\u0131r t\u0131pk\u0131 OAuth 2.0’da oldu\u011fu gibi. Bu i\u015flemin iki taraf i\u00e7inde ortak ger\u00e7ekle\u015ftirilebilmesi yani ayn\u0131 dilden\u00a0konu\u015fabilmeleri i\u00e7in ayn\u0131 “machineKey” bilgilerine sahip olmalar\u0131 gerekmektedir.<\/p>\n
IIS Manager \u00fczerinden h\u0131zl\u0131ca machineKey bilgilerini olu\u015fturabilirsiniz. Ben her iki uygulamam i\u00e7in “web.config” i\u00e7erisindeki “system.web” alt\u0131na ilgili “machineKey” bilgilerini, a\u015fa\u011f\u0131daki gibi tan\u0131ml\u0131yorum.<\/p>\n
<system.web>\r\n  <compilation debug=\"true\" targetFramework=\"4.5.2\"\/>\r\n  <httpRuntime targetFramework=\"4.5.2\"\/>\r\n\r\n  <machineKey validationKey=\"994FD669298C7B30E765A8E6118D4140746A83EF0A89F94EBEF02EF2991FA5C808F2DAAD91E8D649DEF9A1F31E398CA1D7C8D2B7A21EB3E81F7A824456BEA1BC\" \r\n              decryptionKey=\"B550B27413F1DBB46A37CC54620FCF4F78AAE1A22E4AD71DF185EDF4F9AC5726\" \r\n              validation=\"SHA1\" decryption=\"AES\" \/>\r\n<\/system.web><\/pre>\n
\u0130ki uygulamay\u0131 \u015fimdi tekrar\u00a0\u00e7al\u0131\u015ft\u0131r\u0131p, “AntiForgery.Validate()” sat\u0131r\u0131ndaki debug noktas\u0131na bir kez daha\u00a0g\u00f6z atal\u0131m.<\/p>\n
\"antiforgerytoken_2\"<\/a><\/p>\n
Bu sefer ba\u015far\u0131l\u0131 bir \u015fekilde validate i\u015fleminin ger\u00e7ekle\u015fti\u011fini g\u00f6rebilmekteyiz.<\/p>\n
AntiForgery<\/strong> s\u0131n\u0131f\u0131n\u0131n Validate<\/strong> method’unun arkaplan\u0131ndaki\u00a0kontrol i\u015fleminde ise form aray\u00fcz\u00fcnden POST edilen AntiForgeryToken ile, cookie’ye yaz\u0131lan token’lar server taraf\u0131nda\u00a0decrypt edilerek kontrol edilmektedir ve validation i\u015flemleri ger\u00e7ekle\u015ftirilmektedir.<\/p>\n
3) Dikkat edilmesi gereken bir ka\u00e7 nokta<\/h4>\n