Click here to Skip to main content
Click here to Skip to main content

Hack Proof Your ASP.NET Application Part 3 (Cross Site Request Forgery)

, 13 Apr 2014 CPOL
Rate this:
Please Sign up or sign in to vote.
This article describes what CSRF attack is and how to prevent CSRF attacks.

Introduction

This is part 3 of my series Secure your ASP.NET Applications. In this article, I will describe what exactly Cross Site Request Forgery (CSRF) is and how hacker exploit it and how we can prevent from CSRF attack.

Background

You can read my previous article of this series from:

  1. Secure your ASP.NET applications from SQL Injection
  2. Secure your ASP.NET applications from XSS Attack

Cross Site Request Forgery (CSRF)

Cross Site Request Forgery is also known as one click attack, sea surf and session riding and abbreviated as CSRF. CSRF attack is kind of security exploit attack in which attacker uses the authentication of the victim on victim's browser.

Cross-Site Request Forgery (CSRF) is an attack where a malicious site sends a request to a vulnerable site where the user is currently logged in . (Definition from - ASP.NETt) .

What Can This Attack Do

  • It can perform Actions/Proxy Requests for attacker from Victim's browsers.

How Is It Exploited

  1. Image link/ any link in email, on any website or on any blog .
  2. CSRF can be done using Cross Site Scripting.
  3. Malicious website can perform action using your authentication.

1. Image Link/Any Link In Email Or In Any Website

  • A user logs into website www.examplewebsite.com, using forms authentication.
  • Server authenticates user and response from the server includes authentication cookie.
  • Without logging out, user visited a malicious website. That malicious website may contain malicious image link, post action to site user is logged in, malicious script or Ajax call which will be totally hidden from visitor. This is the "cross site" part of CSRF attack.
  • User will click the image or any button (filling forms and clicking submit), then browser will happily send the authentication cookie for the request because post request is like (www.examplewebsite.com/account/delete) .
  • Request will run on server with the user's authentication and can perform any action, user is allowed to do.

This attack is tough to catch, and becomes worse when attacker does the post from AJAX. The victim will even not have to perform any action. This attack can breach even SSL because malicious user can send HTTPS request too like "https://examplewebsite.com/account/delete" .

2. XSS Can Also Be Used To do CSRF Attack

To learn XSS and prevention from it, please see my last article of this series.

  • If any website contains comment section, malicious user can inject script to comment section.
  • When an authenticated admin will log in and visit that page where malicious user injected the script, that will execute and as a result action will be performed according to the script .

As a result of the above script, the user having id four will get deleted .

How To Prevent CSRF

For All Websites

  1. Make ensure your get requests are only used to retrieve data/resource .
  2. Never perform action on get requests. HTTP specifications also depict that one should not perform an action on get requests. (www.examplewebsite.com/account/delete/id=4)
  3. POSTS/PUT/DELETE can also be forged. To prevent those, make requests unique and non-repeatable.

For ASP.NET Web Forms

  1. ViewStateUserKey = Session.SessionID then viewstate will act as a form token
  2. Protect SessionID using Hashing and Encryption
  3. Use SSL to prevent sniffing of SessionID and ViewState
  4. Either create a BasePage and add the following code in that and check ViewState for forms and inherit all the pages from this base page.

ViewState is maintained optionally by ASP.NET,you can maintain view state optionally on page or on any control. Viewstate can be used as a CSRF defense, as it is very difficult for an attacker to forge a valid Viewstate. It is not impossible to forge a valid Viewstate since it is feasible that parameter values could be obtained or guessed by the attacker. However, if the current session ID is added to the ViewState, it then makes each Viewstate unique, and thus immune to CSRF.

To use the ViewStateUserKey property within the Viewstate to protect against spoofed post backs. Add the following in the OnInit virtual method of the Page-derived class (This property must be set in the Page.Init event).

protected override OnInit(EventArgs e) {
     base.OnInit(e); 
     if (User.Identity.IsAuthenticated)
        ViewStateUserKey = Session.SessionID; } 

The following keys the Viewstate to an individual using a unique value of your choice.

   (Page.ViewStateUserKey)  

This must be applied in Page_Init because the key has to be provided to ASP.NET before Viewstate is loaded. This option has been available since ASP.NET 1.1. [References from OWASP].

For ASP.NET MVC

  1. Use AntiForgeryTokens
  2. Use SSL to prevent sniffing of AntiForgeryTokens

Basically, the idea behind this token is to generate a token for forms and validate this token at the server side before performing the action. To achieve this, we will have to create a toke in View of ASP.NET MVC and this token will be verified at the Action of our controller of MVC.

Generate Token on View

Use @Html.AntiForgeryToken() in your forms to generate token.

@using (Html.BeginForm())
                {
                    @Html.AntiForgeryToken();
                     <fieldset>
                      Select a file <input type="file" name="file" />
                     <input type="submit" value="Upload" />
                      </fieldset>
                }    

Validate Toke on Action of your controller

Use [ValidateAntiForgeryToken()] on your action.

I hope you liked this article and that it will help you out to make your application more secure .

References

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Sarvesh Kushwaha
Software Developer
India India
I do believe life is to help others ... So here i am .. in my spare time i learn new things of programming and try to help people with my knowledge .
I'm an energetic, self-motivated and hard-working Developer and Information Technology Professional with experience in projects, website design and development.
 
Visit My Technical Blog
Follow on   Twitter   Google+   LinkedIn

Comments and Discussions

 
GeneralNice MY vote 5 PinmemberMember 1100920112-Aug-14 17:55 
QuestionGood explanation PinmemberKaushal1523-May-14 0:55 
GeneralRe: Good explanation PinmemberSarvesh Kushwaha25-May-14 18:48 
GeneralMy vote of 5 Pinmemberravithejag17-Apr-14 23:38 
GeneralRe: My vote of 5 PinmemberSarvesh Kushwaha17-Apr-14 23:39 
QuestionWhere can I find the first 2 articles? Pinmemberjinksk15-Apr-14 8:39 
GeneralRe: Where can I find the first 2 articles? PinmemberSarvesh Kushwaha15-Apr-14 14:49 
GeneralMy vote of 5 PinmemberCarsten V2.013-Apr-14 5:22 
GeneralRe: My vote of 5 PinmemberSarvesh Kushwaha13-Apr-14 11:30 
GeneralMy vote of 5 PinprofessionalRenju Vinod23-Jan-14 1:31 
GeneralRe: My vote of 5 PinmemberSarvesh Kushwaha29-Jan-14 18:49 
GeneralMy vote of 5 PinmemberRobert J. Good26-Nov-13 9:45 
GeneralRe: My vote of 5 PinmemberSarvesh Kushwaha26-Nov-13 17:36 
QuestionHelpful article PinmemberGonzalo Brusella25-Nov-13 4:13 
AnswerRe: Helpful article PinmemberSarvesh Kushwaha25-Nov-13 7:00 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web03 | 2.8.141015.1 | Last Updated 13 Apr 2014
Article Copyright 2014 by Sarvesh Kushwaha
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid