I use in my form #Html.AntiForgeryToken() and in action I use [ValidateAntiForgeryToken] attribute but when test my site by Acunetix get this error :
HTML form without CSRF protection
html :
<form action="/Car/SearchCar?uniq=-107215139" method="POST" name="form" id="FormCarSearch">
<input name="__RequestVerificationToken" type="hidden" value="NpoBFo4bSCwbm0yZ6dIrpOazM00uX-rKNbru9sfVPGV9cJ8qaDsYaAqsRDDKuy0W0R7gCZSVQu_QN2qD8uTeThan7Ad78GNteLdQN2TKPYJUVD3MrxeeT1YG_i4IYaa6zzENb9CKR1p3zcW9HmDNxA2">
<div class="">
<h4 class="title">
جستجوی خودرو :
</h4>
<div class="row">
<div class="form-group col-sm-6 col-md-2 col-md-push-10 col-sm-push-6 ">
<div class="datepicker-wrap">
<label>از تاریخ </label>
<input name="CarFormDate" autocomplete="off" id="CarFromDate" type="text" class="input-text full-width hasDatepicker" placeholder="از تاریخ ">
</div>
</div>
<div class="form-group col-sm-6 col-md-2 col-md-push-6 DestinationT">
<div class="datepicker-wrap">
<label>تا تاریخ </label>
<input name="CarToDate" autocomplete="off" id="CarToDate" type="text" class="input-text full-width hasDatepicker" placeholder="تا تاریخ ">
</div>
</div>
<div class="form-group col-sm-6 col-md-2 col-md-push-2 col-sm-push-6">
<label> شهر</label>
<div class="selector">
<select class="full-width" name="CarCity" id="CarCity">
<option value="1">کیش</option>
</select><span class="custom-select full-width">کیش</span>
</div>
</div>
<div class="form-group col-sm-6 col-md-2 col-md-pull-2 col-sm-pull-6">
<label>نوع خودرو</label>
<div class="selector">
<select class="full-width" name="CarStyle" id="CarType">
<option value="1">سواری</option>
<option value="2">شاسی بلند</option>
<option value="21">کروک اسپورت</option>
</select><span class="custom-select full-width">سواری</span>
</div>
</div>
<div class="form-group col-sm-6 col-md-2 col-md-pull-6 col-sm-push-6">
<label class="transparent">جستجوی خودرو</label>
<button class="full-width soap-icon-search" type="button" id="SearchCar">جستجوی خودرو</button>
</div>
</div>
</div>
</form>
How to fix this vulnerability:
Check if this form requires CSRF
protection and implement CSRF countermeasures if necessary.
Is there problem in this case?
How can i fix this?
CSRF detection, by very nature, is hard to detect automatically and often requires some form of human verification to check whether the alert is a false positive or not.
There is a really detailed article by Acunetix below regarding CSRF tokens which I would recommend going over - https://www.acunetix.com/websitesecurity/csrf-attacks/
If you need any further details, let me know.
Related
I have an ASP MVC view that contains only a Textbox that takes a string, and a submit button to submit the value.
I want to add the validation error message with an Icon before it as in the following snippet:
<div class="form-group row">
<label class="col-sm-4 col-form-label">Check User Id</label>
<div class="col-sm-8">
<input asp-for="#Model.userId" type="text" class="form-control" />
</div>
</div>
<div class="form-group row">
<label class="col-sm-4 col-form-label"></label>
<div class="col-sm-8">
<input type="submit" class="btn btn-primary" value="Check" asp-action="Index" asp-controller="UserController" />
<div class="col-sm-8">
<i asp-validation-for="userId" class="fa fa-info-circle"></i>
<span asp-validation-for="userId" class="text-dark"></span>
</div>
</div>
</div>
My Problem now is that the info Icon is always showing, and I want it to show ONLY if there is an error/validation message. Is there a way to achieve that from the view only with no changes to the Business logic?
I created a dropdown menu to log in instead of logging in at Login.cshtml but i can't seem to be able to use the model that contains the email password etc. I am not sure how to explain this but here is what i made so far:
I created the dropdown form and placed it in _LoginPartial.cshtml so it shows on the navbar
<div class="dropdown">
<button class="btn btn-secondary dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
Log-In
</button>
<div class="dropdown-menu" aria-labelledby="dropdownMenuButton" style="width: 300px" >
<!----------->
<div class="col-lg-12">
<div class="text-center">
<h3><b>Log In</b></h3></div>
<form id="ajax-login-form" method="post" role="form" autocomplete="off">
<div class="form-group">
<label for="username">Username</label>
<input type="text" name="username" id="username" tabindex="1" class="form-control" placeholder="Username" value="" autocomplete="off">
</div>
<div class="form-group">
<label for="password">Password</label>
<input type="password" name="password" id="password" tabindex="2" class="form-control" placeholder="Password" autocomplete="off">
</div>
<div class="form-group">
<div class="col-xs-5">
<input type="submit" name="login-submit" id="login-submit" tabindex="4" class="form-control btn btn-danger" value="Log In">
</div>
</div>
<div class="col-xs-5" align="Center">
<input type="checkbox" tabindex="3" name="remember" id="remember">
<label for="remember"> Remember Me</label>
</div>
<div class="form-group">
<div class="row">
<div class="col-lg-12">
<div class="text-center">
<a tabindex="5" class="forgot-password">Forgot Password?</a>
</div>
</div>
</div>
</div>
</form>
</div>
and after this, i thought i can easily just insert #model loginmodel and i can start using that model but i'm met with so many errors. Any advice on how to do this? I am also open to other approaches too
I have several textboxes within Bootstrap columns that I want to bring closer to one another, but no matter what I do the distance between textboxes stays the same.
How can I
Shorten the distance between the textboxes?
Shorten/make more narrow the column background or bring the textbox closer to the outside of a column
Here is the code that I have
<div class="col-xs-12 col-md-2">
<div class="well form-group">
<div class="bisformdynamiclabel">Box 1</div>
<input class="form-control" type="text" asp-for="myclass.box1" />
<span asp-validation-for="myclass.box1" class="alert-danger"></span>
</div>
</div>
<div class="col-xs-12 col-md-2">
<div class="well form-group">
<div class="bisformdynamiclabel">Box 2</div>
<input class="form-control" type="text" asp-for="myclass.box2" />
<span asp-validation-for="myclass.box2" class="alert-danger"></span>
</div>
</div>
<div class="col-xs-12 col-md-2">
<div class="well form-group">
<div class="col-lg-1">
<div class="bisformdynamiclabel">Box 3</div>
<input class="form-control" type="text" asp-for="myclass.box3" />
<span asp-validation-for="myclass.box3" class="alert-danger"></span>
</div>
</div>
</div>
Thank you in advance for everyone's help
I can't seem to align an input-group-addon correctly in an ASP.NET View.
<form asp-action="Create">
<div class="form-horizontal">
<h4>Category</h4>
<hr />
<div asp-validation-summary="ValidationSummary.ModelOnly" class="text-danger"></div>
<div class="form-group">
<label asp-for="Hex" class="col-md-2 control-label"></label>
<div class="col-md-10">
<div class="input-group">
<div class="input-group-addon"><i></i></div>
<input asp-for="Hex" class="form-control" value="" />
<span asp-validation-for="Hex" class="text-danger" />
</div>
</div>
</div>
<div class="form-group">
<label asp-for="CompanyId" class="col-md-2 control-label"></label>
<div class="col-md-10">
<select asp-for="CompanyId" asp-items="Model.Companies" class="form-control">
<option value="">--Please Select--</option>
</select>
</div>
</div>
<div class="form-group">
<label asp-for="Name" class="col-md-2 control-label"></label>
<div class="col-md-10">
<input asp-for="Name" class="form-control" />
<span asp-validation-for="Name" class="text-danger" />
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<input type="submit" value="Create" class="btn btn-default" />
</div>
</div>
</div>
</form>
This looks fine in JSFiddle (after adding labels back in). But looks like this when I run the View:
If I swap the input-group-addon and the input the addon floats off to the right.
Could this be something to do with the way a child View is rendered by the _layout view?
Could this be something to do with the way a child View is rendered by the _layout view?
Yup. Especially with renderbody.
Since I have save button in the right menu. so when I pressed save in the right menu, it should save the values into the bean without submitting the form.
<form action="personal-info.action" id = "userform" name="userform" method="post">
<div class="clearfix">
<h2>Basic Information</h2>
<div class="row">
<div class="col-sm-6">
<div class="row">
<div class="form-group clearfix col-sm-12 col-xs-6">
<label>Title</label>
<div>
<s:select list="titleList" listKey="displayKey" onChange="jsFunction()" listValue="displayValue" name="title" id ="title" cssClass="selectpicker show-tick" required="true" />
<!-- <select class="selectpicker show-tick" data-width="auto" name="title" required>
<option value="Mr.">Mr.</option>
<option value="Ms.">Ms.</option>
<option value="Mrs.">Mrs.</option>
</select> -->
</div>
</div>
<div class="form-group clearfix col-sm-12 col-xs-6">
<label>Gender</label>
</form>