I understand that the AntiForgeryToken feature in ASP.NET MVC does prevent cross-site attacks.
However, does it prevent from changing form values before POST?
For example, a malicious attacker may find out that the rating page always contains a hidden field contaning the rated entity ID and create POST requests to artificially rate all his own entities high.
What is the preferred way to ensure that the form values between a GET and a POST have not been changed?
AntiForgeryToken prevents a malicious site to trick a user to a form that looks the same as the original and post it to the original site. It does not prevent the scenario you are describing. Here's how an attacker could proceed in order to circumvent the token:
- The hacker sends a GET request to the form.
- He reads the value of the cookie generated by the AntiForgeryToken
- He POSTs to the url handling the form action by sending the cookie, the RequestVerificationToken hidden field which has the same value as the cookie and the modified entity ID.
As you can see the only difference to as if you haven't used AntiForgeryToken is that the hacker needs to send an additional GET request to read the value of the token.
There's absolutely no way to prevent an attacker from modifying the value of a hidden field other than verifying that the user who submitted the form (I suppose that in order to vote the user has to be authenticated) is not the owner of the entity ID he is voting for.