locked
Cross Site Request Forgery on my GridView RRS feed

  • Question

  • User-617859429 posted

    Hi

    1) I have been exposed to CSRF attack.

    the code for .net --> gride view is , Not sure what I am missing

    <asp:GridView ID="gvCalender" runat="server" CssClass="Grid" AutoGenerateColumns="false"

    AllowSorting="true" OnSorting="gvCalender_Sorting"

    OnRowEditing="gvCalender_RowEditing"

    OnRowCancelingEdit="gvCalender_OnRowCancelingEdit"

    OnRowUpdating="gvCalender_OnRowUpdating"

    OnRowDataBound="gvCalender_RowDataBound"

    DataKeyNames="ID">

    <Columns>

    <asp:CommandField ShowEditButton="true" />

    <asp:BoundField DataField="Month" HeaderText="Month" SortExpression="Month" />

    </Columns>

    </asp:GridView>

    Tuesday, June 5, 2018 9:36 PM

All replies

  • User409696431 posted

    See the discussion at https://stackoverflow.com/questions/29939566/preventing-cross-site-request-forgery-csrf-attacks-in-asp-net-web-forms

    If you create a new webforms application project in Visual Studio 2017 (and I think earlier versions to at least 2013), the Site.Master and Site.Master.cs files have CSRF protection baked in.  You can look at that code and add it to your site master page, or if you don't use a master page, to individual pages.

    Tuesday, June 5, 2018 10:06 PM
  • User-330142929 posted

    Hi Muhammadazeemazam,

     

    From your description, does your project already prevent CSRF? As far as I know, starting with Visual Studio 2012, Microsoft added built-in CSRF protection to new web forms application projects.

    We could add CSRF validation token in  Master_Page_Init and Master_Page_Preload event handler. In order to ensure that all pages are protected, make sure that all pages use the masterpage.

    The following link will be useful to you.

    https://stackoverflow.com/questions/29939566/preventing-cross-site-request-forgery-csrf-attacks-in-asp-net-web-forms

     If it still has same issue, please feel free to let me know.

     

    Best Regards,

    Abraham

    Wednesday, June 6, 2018 11:37 AM
  • User-617859429 posted

    Hi All

    1) The issue is I don't have the Master Page on my Application.

    2) I will have to implement it on individual pages.

    3) VS 2012 does provide CSRF code on Master Page, but in my case I don't have master page.

    4) My Project doesn't Prevent CSRF.

    5) Should I copy the SCRF Code from Site Master Page to all individual Pages? as Kathy Suggested above? Which doesn't make sense to me. I could be wrong as well...

    Thank You

    Tuesday, June 26, 2018 2:08 PM
  • User409696431 posted

    If you don't have a master page, yes copy the code to all of your pages that could be subject to an attack.  (I'm not sure why you thought that didn't make sense.  Using a master page copies that code to all the pages … same result.)

    Tuesday, June 26, 2018 4:07 PM