locked
how to avaoid the CSRF attack in ASP.net application RRS feed

  • Question

  • User-235541030 posted

    Hi Team,

    I am working to resolve CSRF attacks and how to fix using custom header- "X-Requested-With" having its value. OR the following way also

    System.Web.HttpContext.Current.Request.UrlReferrer != null || System.Web.HttpContext.Current.Request.Url.Host == System.Web.HttpContext.Current.Request.Url.Host))

    will resolve ?

    please let me know or any alternative approaches for asp.net application

    Thanks 

    Monday, May 13, 2019 12:05 PM

All replies

  • User753101303 posted

    Hi,

    And the recommandation you saw is ?  Testing a value against itself doesn't make sense. You want to test the referer instead ? I believe you want rather :

    System.Web.HttpContext.Current.Request.UrlReferrer != null && (System.Web.HttpContext.Current.Request.UrlReferrer.Host== System.Web.HttpContext.Current.Request.Url.Host)

    You are using MVC ? A first step could be https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages if not done already.

    Monday, May 13, 2019 12:19 PM
  • User-235541030 posted

    Thanks PatriceSC,

    I would like to implement in ASP.net application and like to implement the cross site request forgery protection.

    let me know above statement is enough to validate the page or it requires more.

    Thanks

    Monday, May 13, 2019 4:50 PM
  • User475983607 posted

    I would like to implement in ASP.net application and like to implement the cross site request forgery protection.

    let me know above statement is enough to validate the page or it requires more.

    Please see the reference documentation.

    https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks

    Monday, May 13, 2019 5:50 PM
  • User-893317190 posted

    Hi srinisrinivas,

    Generally speaking , we normally use csrf token to prevent csrf attack.

    Below is a simple sample of how to implement it in web form.

    Generate a cookie whose value is  guid, when is not postback , set the value in viewstate , when is postback , check whether the request contains the guid to prevent request from other website.

     private const string AntiXsrfTokenKey = "__AntiXsrfToken";
           
            private string _antiXsrfTokenValue;
            protected void Page_Init(object sender, EventArgs e)
            {
                // set csrf token key through cookie
                if( Request.Cookies[AntiXsrfTokenKey] == null)
                {
                    _antiXsrfTokenValue = new Guid().ToString("N");
                    HttpCookie cookie =  new HttpCookie(AntiXsrfTokenKey)
                    {
                        Value = _antiXsrfTokenValue,
                        HttpOnly = true  // prevent other website to read the token
                    };
                    Response.SetCookie(cookie);
                }
                else
                {
                    _antiXsrfTokenValue = Request.Cookies[AntiXsrfTokenKey].Value;
                }
                Page.PreLoad += master_Page_PreLoad;
            }
    
            protected void master_Page_PreLoad(object sender, EventArgs e)
            {
    
                if (!IsPostBack)
                {
                    // set view state if  it is not post back
                    ViewState[AntiXsrfTokenKey] = _antiXsrfTokenValue;
    
                }
                else
                {
                    // when posting back, check the token , if failed , maybe this is a request from other website
                    if (ViewState[AntiXsrfTokenKey] == null || ViewState[AntiXsrfTokenKey].ToString()!=_antiXsrfTokenValue) {
                        throw new InvalidOperationException("may be a csrf attack");
                         
                    }
                }
            }

    For a full guide , you could refer to the link below.

    https://security.stackexchange.com/questions/187740/two-solutions-for-csrf-on-owasp-for-asp-net-webforms

    If you are using mvc, you could use validateantiforgerytoken attribute

    https://stackoverflow.com/questions/13621934/validateantiforgerytoken-purpose-explanation-and-example

    Best regards,

    Ackerly Xu

    Tuesday, May 14, 2019 2:16 AM
  • User-2054057000 posted

    The alternative approach is to use asp-antiforgery Tag Helper to prevent cross-site request forgery (CSRF).

    Thursday, May 16, 2019 11:45 AM