1

I understand Cross-Site Request Forgery and found numerous blogs,articles on web to handle it in asp.net mvc,but have not got a decent links,helpful solutions to deal with CSRF attacks in asp.net web applications.I have ran a security tool on my website,and its reporting the cross site request forgery and showing the risk

It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user

My question is how to deal with CSRF attacks in ASP.NET web applications?

Christoph Fink
  • 22,727
  • 9
  • 68
  • 113
F11
  • 3,703
  • 12
  • 49
  • 83

3 Answers3

2

If you look at the second link you posted you see the logic of the Html.AntiForgeryToken() validation in MVC:

void ValidateRequestHeader(HttpRequestMessage request)
{
    string cookieToken = "";
    string formToken = "";

    IEnumerable<string> tokenHeaders;
    if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders))
    {
        string[] tokens = tokenHeaders.First().Split(':');
        if (tokens.Length == 2)
        {
            cookieToken = tokens[0].Trim();
            formToken = tokens[1].Trim();
        }
    }
    AntiForgery.Validate(cookieToken, formToken);
}

Shouldn't be that hard to do the same in your web-forms app.

See THIS answer for a possible solution.

Community
  • 1
  • 1
Christoph Fink
  • 22,727
  • 9
  • 68
  • 113
1

The ViewState mechanism can be used to protect against CSRF in a web forms app.

ASP.NET has an option to maintain your ViewState. The ViewState indicates the status of a page when submitted to the server. The status is defined through a hidden field placed on each page with a control. Viewstate can be used as a CSRF defense, as it is difficult for an attacker to forge a valid Viewstate. It is not impossible to forge a valid Viewstate since it is feasible that parameter values could be obtained or guessed by the attacker. However, if the current session ID is added to the ViewState, it then makes each Viewstate unique, and thus immune to CSRF

Also regarding your other question on CSRF:

It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user

A CSRF attack usually doesn't allow an attacker to view anything, only to make requests on behalf of the logged in user. However, if there was a change password option that doesn't require the current password to be submitted, the attacker might be able to call this function using the victim's session for the attacker to then later log in directly as the victim user.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
1

Is there any solution for the same in Asp.net Web form application which will handle in Global.asax.

In MVC it becomes very simple but if old application is simple web form and want to prevent from such attack at global level then what will be the solution.

Nikolay Kostov
  • 16,433
  • 23
  • 85
  • 123
Vishal Hatiskar
  • 101
  • 2
  • 10