I understand Cross-Site Request Forgery and found numerous blogs,articles on web to handle it in asp.net mvc,but have not got a decent links,helpful solutions to deal with CSRF attacks in asp.net web applications.I have ran a security tool on my website,and its reporting the cross site request forgery and showing the risk
It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing
the hacker to view or alter user records, and to perform transactions as that user
My question is how to deal with CSRF attacks in ASP.NET web applications?
The ViewState mechanism can be used to protect against CSRF in a web forms app.
ASP.NET has an option to maintain your ViewState. The ViewState
indicates the status of a page when submitted to the server. The
status is defined through a hidden field placed on each page with a
control. Viewstate can be used as a CSRF
defense, as it is difficult for an attacker to forge a valid
Viewstate. It is not impossible to forge a valid Viewstate since it is
feasible that parameter values could be obtained or guessed by the
attacker. However, if the current session ID is added to the
ViewState, it then makes each Viewstate unique, and thus immune to
CSRF
Also regarding your other question on CSRF:
It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
A CSRF attack usually doesn't allow an attacker to view anything, only to make requests on behalf of the logged in user. However, if there was a change password option that doesn't require the current password to be submitted, the attacker might be able to call this function using the victim's session for the attacker to then later log in directly as the victim user.
If you look at the second link you posted you see the logic of the Html.AntiForgeryToken() validation in MVC:
void ValidateRequestHeader(HttpRequestMessage request)
{
string cookieToken = "";
string formToken = "";
IEnumerable<string> tokenHeaders;
if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders))
{
string[] tokens = tokenHeaders.First().Split(':');
if (tokens.Length == 2)
{
cookieToken = tokens[0].Trim();
formToken = tokens[1].Trim();
}
}
AntiForgery.Validate(cookieToken, formToken);
}
Shouldn't be that hard to do the same in your web-forms app.
See THIS answer for a possible solution.
Is there any solution for the same in Asp.net Web form application which will handle in Global.asax.
In MVC it becomes very simple but if old application is simple web form and want to prevent from such attack at global level then what will be the solution.
