Is HTTPS vulnerable to CSRF?

Question

Background:

I have an MVC 3 .NET app and was reading up on antiforgerytoken Here . I'm fine with using antiforgerytoken to help prevent this attack but I also know my site is running HTTPS TLS 1+.

Question:

Can someone preform the kind of Cross-Browser Attack antiforgerytoken are designed to prevent over HTTPS with TLS 1+?

Answer 1

Short answer: HTTPS does not prevent a CSRF attack.

if a bad guy puts a form on his site that posts to your site with some instructions to do something that the user wouldn't want, HTTPS is not going to stop it.

Example:

let's say your site has a page called account.aspx, and if the POST variable 'delete' is sent with a value of 'true', the current account is deleted. a bad guy could put this on his site

<form action="https://your.site.com/account.aspx" method="post">
  <input type="hidden" name="delete" value="true" />
  <input type="submit" value="Like this on Facebook" />
</form>

Now, if one of your users happens to be logged into your site and clicks this button, their browser will be directed to your site, and their account will be deleted. HTTPS will still encrypt the communication between their site and your browser, and will not, in any way, prevent this attack. If, however, your site is using an anti forgery token, the attacker would need to put that token in his form, and if you implement it right, he will have no way of knowing what the token is.

Answer 2

https might prevent a man in the middle attack. but i can manipulate the html anyway i want if i get a script on your site.

for a detailed description you can look for example here http://www.devcurry.com/2013/01/what-is-antiforgerytoken-and-why-do-i.html

https only ensures the server is saying that it is who it claims to be. not that the client didn't do anything strange.