asp.net - Are intranet sites vulnerable to CSRF? -


i have developed , deployed mvc5 .net app runs within intranet , uses ldap authenticate users. since mvc 5 gives @html.antiforgery() default used them in every from. in production app running in multiple nodes i'm having problems tokens when sessions expire etc.

so wondering if should using them in first place or if remove them since site runs on intranet.

yes, are. example, malicious user send 1 of employees , email containing clear gif url points @ 1 of intranet pages, or employee visit web page contains javascript posts 1 of intranet pages.

the mitigation clear gif attack design intranet site requests never update state or perform sensitive operations.

the mitigation script/post attack include csrf token in of forms.


Comments

Popular posts from this blog

javascript - gulp-nodemon - nodejs restart after file change - Error: listen EADDRINUSE events.js:85 -

Fatal Python error: Py_Initialize: unable to load the file system codec. ImportError: No module named 'encodings' -

javascript - oscilloscope of speaker input stops rendering after a few seconds -