Skip to content

IDisposable/Daishi.Armor.WebFramework

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits

Daishi.Armor.WebFramework

Daishi.Armor.WebFramework

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

Daishi.Armor.WebFramework.sln

Daishi.Armor.WebFramework.sln

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

Repository files navigation

Image of insidethecpu

ASP.NET ARMOR Web Framework

Join the chat at https://gitter.im/daishisystems/Daishi.Armor.WebFramework Build status NuGet

As seen on visualstudiomagazine.com.

The Encrypted Token Pattern is a defence mechanism against Cross Site Request Forgery (CSRF) attacks, and is an alternative to its sister-patterns; Synchroniser Token, and Double Submit Cookie. The ARMOR Web Framework provides a means to leverage this technique in repelling CSRF attacks against ASP.NET applications.

Click here for an in-depth tutorial on protecting ASP.NET applications from CSRF attacks using this framework. Image of ARMOR

Installation

PM> Install-Package Daishi.Armor.WebFramework

Sample Code

Generating Keys

ARMOR requires both encryption and hashing keys, in Base64 format. You can generate both keys using the code below.

Note: Key-generation, rotation, and management are out-of-band topics in terms of leveraging ARMOR.

byte[] encryptionKey = new byte[32];
byte[] hashingKey = new byte[32];
 
using (var provider = new RNGCryptoServiceProvider()) {
    provider.GetBytes(encryptionKey);
    provider.GetBytes(hashingKey);
}

Adding Fortification Filters

Add the following filter to ASP.NET Web API applications

config.Filters.Add(new WebApiArmorFortifyFilter());

Add the following filter to ASP.NET MVC applications

public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
    filters.Add(new MvcArmorFortifyFilter());
}

Protecting your Endpoints

Add the following attribute to ASP.NET Web API endpoints

[WebApiArmorAuthorize]

Add the following attribute to ASP.NET MVC endpoints

[MvcArmorAuthorize]

Integrating with your Authentication Mechanism

Assuming that your application leverages Claims-based authentication, ARMOR will automatically read the UserID claim as follows:

public override bool TryRead(out IEnumerable<Claim> identity) {
    var claims = new List<Claim>();
    identity = claims;
 
    var claimsIdentity = principal.Identity as ClaimsIdentity;
    if (claimsIdentity == null) return false;
 
    var subClaim = claimsIdentity.Claims.SingleOrDefault(c => c.Type.Equals(“UserId”));
    if (subClaim == null) return false;
 
    claims.Add(subClaim);
    return true;
}

If your application leverages any other form of authentication mechanism, simply create your own implementation of IdentityReader and override the TryRead method appropriately in order to return the logged-in UserID in Claim-based format.

Contact the Developer

Please reach out and contact me for questions, suggestions, or to just talk tech in general.

RSSTwitterLinkedInGoogle+YouTube

About

Protect ASP.NET Applications Against CSRF Attacks

insidethecpu.com/2015/04/10/protecting-asp-net-applications-against-csrf-attacks/

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C# 98.3%
  • JavaScript 1.7%