how to avaoid the CSRF attack in ASP.net application

Question

User-235541030 posted

Hi Team,

I am working to resolve CSRF attacks and how to fix using custom header- "X-Requested-With" having its value. OR the following way also

System.Web.HttpContext.Current.Request.UrlReferrer != null || System.Web.HttpContext.Current.Request.Url.Host == System.Web.HttpContext.Current.Request.Url.Host))

will resolve ?

please let me know or any alternative approaches for asp.net application

Thanks 

Answer 1

User753101303 posted

Hi,

And the recommandation you saw is ?  Testing a value against itself doesn't make sense. You want to test the referer instead ? I believe you want rather :

System.Web.HttpContext.Current.Request.UrlReferrer != null && (System.Web.HttpContext.Current.Request.UrlReferrer.Host== System.Web.HttpContext.Current.Request.Url.Host)

You are using MVC ? A first step could be https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages if not done already.

Answer 2

User-235541030 posted

Thanks PatriceSC,

I would like to implement in ASP.net application and like to implement the cross site request forgery protection.

let me know above statement is enough to validate the page or it requires more.

Thanks

Answer 3

User475983607 posted

I would like to implement in ASP.net application and like to implement the cross site request forgery protection.

let me know above statement is enough to validate the page or it requires more.

Please see the reference documentation.

https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks

Answer 4

User-893317190 posted

Hi srinisrinivas,

Generally speaking , we normally use csrf token to prevent csrf attack.

Below is a simple sample of how to implement it in web form.

Generate a cookie whose value is  guid, when is not postback , set the value in viewstate , when is postback , check whether the request contains the guid to prevent request from other website.

 private const string AntiXsrfTokenKey = "__AntiXsrfToken";
       
        private string _antiXsrfTokenValue;
        protected void Page_Init(object sender, EventArgs e)
        {
            // set csrf token key through cookie
            if( Request.Cookies[AntiXsrfTokenKey] == null)
            {
                _antiXsrfTokenValue = new Guid().ToString("N");
                HttpCookie cookie =  new HttpCookie(AntiXsrfTokenKey)
                {
                    Value = _antiXsrfTokenValue,
                    HttpOnly = true  // prevent other website to read the token
                };
                Response.SetCookie(cookie);
            }
            else
            {
                _antiXsrfTokenValue = Request.Cookies[AntiXsrfTokenKey].Value;
            }
            Page.PreLoad += master_Page_PreLoad;
        }

        protected void master_Page_PreLoad(object sender, EventArgs e)
        {

            if (!IsPostBack)
            {
                // set view state if  it is not post back
                ViewState[AntiXsrfTokenKey] = _antiXsrfTokenValue;

            }
            else
            {
                // when posting back, check the token , if failed , maybe this is a request from other website
                if (ViewState[AntiXsrfTokenKey] == null || ViewState[AntiXsrfTokenKey].ToString()!=_antiXsrfTokenValue) {
                    throw new InvalidOperationException("may be a csrf attack");
                     
                }
            }
        }

For a full guide , you could refer to the link below.

https://security.stackexchange.com/questions/187740/two-solutions-for-csrf-on-owasp-for-asp-net-webforms

If you are using mvc, you could use validateantiforgerytoken attribute

https://stackoverflow.com/questions/13621934/validateantiforgerytoken-purpose-explanation-and-example

Best regards,

Ackerly Xu

Answer 5

User-2054057000 posted

The alternative approach is to use asp-antiforgery Tag Helper to prevent cross-site request forgery (CSRF).