23072

Prevent Cross-Site Request Forgery

Question:

I understand <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29" rel="nofollow">Cross-Site Request Forgery</a> and found numerous blogs,articles on web to handle it in <a href="http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-%28csrf%29-attacks" rel="nofollow">asp.net mvc</a>,but have not got a decent links,helpful solutions to deal with CSRF attacks in asp.net web applications.I have ran a <a href="http://www-03.ibm.com/software/products/en/appscan" rel="nofollow">security tool</a> on my website,and its reporting the cross site request forgery and showing the risk

<em>It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user</em>

My question is how to deal with CSRF attacks in ASP.NET web applications?

Answer1:

The <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Viewstate_.28ASP.NET.29" rel="nofollow">ViewState mechanism can be used to protect against CSRF</a> in a web forms app.

<blockquote>

ASP.NET has an option to maintain your ViewState. The ViewState indicates the status of a page when submitted to the server. The status is defined through a hidden field placed on each page with a control. Viewstate can be used as a CSRF defense, as it is difficult for an attacker to forge a valid Viewstate. It is not impossible to forge a valid Viewstate since it is feasible that parameter values could be obtained or guessed by the attacker. However, if the current session ID is added to the ViewState, it then makes each Viewstate unique, and thus immune to CSRF

</blockquote>

Also regarding your other question on CSRF:

<blockquote>

It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user

</blockquote>

A CSRF attack usually doesn't allow an attacker to view anything, only to make requests on behalf of the logged in user. However, if there was a change password option that doesn't require the current password to be submitted, the attacker might be able to call this function using the victim's session for the attacker to then later log in directly as the victim user.

Answer2:

If you look at the second link you posted you see the logic of the Html.AntiForgeryToken() validation in MVC:

void ValidateRequestHeader(HttpRequestMessage request) { string cookieToken = ""; string formToken = ""; IEnumerable<string> tokenHeaders; if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders)) { string[] tokens = tokenHeaders.First().Split(':'); if (tokens.Length == 2) { cookieToken = tokens[0].Trim(); formToken = tokens[1].Trim(); } } AntiForgery.Validate(cookieToken, formToken); }

Shouldn't be that hard to do the same in your web-forms app.

See <a href="https://stackoverflow.com/a/2553583/472434" rel="nofollow">THIS</a> answer for a possible solution.

Answer3:

Is there any solution for the same in Asp.net Web form application which will handle in Global.asax.

In MVC it becomes very simple but if old application is simple web form and want to prevent from such attack at global level then what will be the solution.

Recommend

  • How to unit test code in the repository pattern?
  • Store array in cookie
  • Session Nil with Rails 3.2.6 and authlogic 3.1.3
  • get Unique info for a machine in asp.net
  • Cookies On Mobile Phone
  • What is unique identity of an Internet connected device IP / MAC?
  • Does Angular 2 application block cookies from being stored by default?
  • How to get top 10 and ORDER BY() from COUNT()
  • Kill Active Session if User Is Banned
  • Session management in GWT client side
  • inserting duplicate records with SQL
  • Alter Table doesn't work under MS Access 64 bit. Why?
  • Flush google analytics events manually with Google Play Services
  • IP and domain create different session
  • How to specify a multi-column UNIQUE constraint in code-first Entity Framework fluent API
  • Selenium and Google - How do you use cookies?
  • How to make a user wait with Laravel
  • HTML checkbox form and HTTP URL
  • SQL: Getting the physical size of a subset of a table
  • C# List of Panels
  • How do I remove all but some records based on a threshold?
  • How do I get the list of bad records that didn't load in Bigquery?
  • Fail:(TESTMODE) Transactions of this market type cannot be processed on this system
  • How to return DataSet (xsd) in WCF
  • Sequential (transactional) API calls in angular 4 with state management
  • MS Access - How to change the linked table path by amend the table
  • Unable to get column index with table.getColumn method using custom table Model
  • Transactional Create with Validation in ServiceStack Redis Client
  • Hardware Accelerated Image Scaling in windows using C++
  • Custom validator control occupying space even though display set to dynamic
  • Get object from AWS S3 as a stream
  • Cross-Platform Protobuf Serialization
  • Validaiting emails with Net.Mail MailAddress
  • Arrow is showed instead of the material design version hamburger icon. Why doesn't syncState in
  • Do I've to free mysql result after storing it?
  • Arrays break string types in Julia
  • json Serialization in asp
  • Suggestions to manage Login/Logout transitions
  • Getting Messege Twice Using IMvxMessenger
  • How to load view controller without button in storyboard?