To prevent cross site forgery attack in .NET 4.0 MVC web application, we have generated CSRF tokens per page by using @Html.AntiForgeryToken(). The token validation is done on each request handling using [ValidateAntiForgeryToken] api provided by framework in the respective controller and actions.
When the request from the client browser is traced and sent again from a proxy tool with this traced data, the server application accepts it and no validation error is shown.
The traced data will contain the generated token value (__RequestVerificationToken) with the request body.
The application is SSL(self-signed) enabled and is hosted in HTTPS.
Tool can able to copy the validated token from the request body, and he can send the new request with this old token. ie the validated token is still avaialable. Any way to invalidate or remove the already generated form tokens.
We would like to know, if there are any other security measures to be considered to prevent cross site attacks.
The attack you describe is a man-in-the-middle / replay attack, not a CSRF attack. MVC's anti-CSRF API does support replay protection, but setting this up is non-trivial, and it doesn't sound like this would necessarily address your concern anyway. For instance, if I can MITM your application, then I have full access to your authentication cookie. I'd simply be able to log in as you, and I wouldn't have to worry about whether my CSRF tokens were valid, since I could just ask the server to generate new valid ones for me whenever I wanted.
What is the exact scenario you're trying to solve?