Click here to Skip to main content
14,176,277 members
Click here to Skip to main content
Add your own
alternative version

Tagged as


74 bookmarked
Posted 13 Apr 2014
Licenced CPOL

Hack Proof Your ASP.NET Application Part 3 (Cross Site Request Forgery)

, 13 Apr 2014
Rate this:
Please Sign up or sign in to vote.
This article describes what CSRF attack is and how to prevent CSRF attacks.


This is part 3 of my series Secure your ASP.NET Applications. In this article, I will describe what exactly Cross Site Request Forgery (CSRF) is and how hacker exploit it and how we can prevent from CSRF attack.


You can read my previous article of this series from:

  1. Secure your ASP.NET applications from SQL Injection
  2. Secure your ASP.NET applications from XSS Attack

Cross Site Request Forgery (CSRF)

Cross Site Request Forgery is also known as one click attack, sea surf and session riding and abbreviated as CSRF. CSRF attack is kind of security exploit attack in which attacker uses the authentication of the victim on victim's browser.

Cross-Site Request Forgery (CSRF) is an attack where a malicious site sends a request to a vulnerable site where the user is currently logged in . (Definition from - ASP.NETt) .

What Can This Attack Do

  • It can perform Actions/Proxy Requests for attacker from Victim's browsers.

How Is It Exploited

  1. Image link/ any link in email, on any website or on any blog .
  2. CSRF can be done using Cross Site Scripting.
  3. Malicious website can perform action using your authentication.

1. Image Link/Any Link In Email Or In Any Website

  • A user logs into website, using forms authentication.
  • Server authenticates user and response from the server includes authentication cookie.
  • Without logging out, user visited a malicious website. That malicious website may contain malicious image link, post action to site user is logged in, malicious script or Ajax call which will be totally hidden from visitor. This is the "cross site" part of CSRF attack.
  • User will click the image or any button (filling forms and clicking submit), then browser will happily send the authentication cookie for the request because post request is like ( .
  • Request will run on server with the user's authentication and can perform any action, user is allowed to do.

This attack is tough to catch, and becomes worse when attacker does the post from AJAX. The victim will even not have to perform any action. This attack can breach even SSL because malicious user can send HTTPS request too like "" .

2. XSS Can Also Be Used To do CSRF Attack

To learn XSS and prevention from it, please see my last article of this series.

  • If any website contains comment section, malicious user can inject script to comment section.
  • When an authenticated admin will log in and visit that page where malicious user injected the script, that will execute and as a result action will be performed according to the script .

As a result of the above script, the user having id four will get deleted .

How To Prevent CSRF

For All Websites

  1. Make ensure your get requests are only used to retrieve data/resource .
  2. Never perform action on get requests. HTTP specifications also depict that one should not perform an action on get requests. (
  3. POSTS/PUT/DELETE can also be forged. To prevent those, make requests unique and non-repeatable.

For ASP.NET Web Forms

  1. ViewStateUserKey = Session.SessionID then viewstate will act as a form token
  2. Protect SessionID using Hashing and Encryption
  3. Use SSL to prevent sniffing of SessionID and ViewState
  4. Either create a BasePage and add the following code in that and check ViewState for forms and inherit all the pages from this base page.

ViewState is maintained optionally by ASP.NET,you can maintain view state optionally on page or on any control. Viewstate can be used as a CSRF defense, as it is very difficult for an attacker to forge a valid Viewstate. It is not impossible to forge a valid Viewstate since it is feasible that parameter values could be obtained or guessed by the attacker. However, if the current session ID is added to the ViewState, it then makes each Viewstate unique, and thus immune to CSRF.

To use the ViewStateUserKey property within the Viewstate to protect against spoofed post backs. Add the following in the OnInit virtual method of the Page-derived class (This property must be set in the Page.Init event).

protected override OnInit(EventArgs e) {
     if (User.Identity.IsAuthenticated)
        ViewStateUserKey = Session.SessionID; } 

The following keys the Viewstate to an individual using a unique value of your choice.


This must be applied in Page_Init because the key has to be provided to ASP.NET before Viewstate is loaded. This option has been available since ASP.NET 1.1. [References from OWASP].


  1. Use AntiForgeryTokens
  2. Use SSL to prevent sniffing of AntiForgeryTokens

Basically, the idea behind this token is to generate a token for forms and validate this token at the server side before performing the action. To achieve this, we will have to create a toke in View of ASP.NET MVC and this token will be verified at the Action of our controller of MVC.

Generate Token on View

Use @Html.AntiForgeryToken() in your forms to generate token.

@using (Html.BeginForm())
                      Select a file <input type="file" name="file" />
                     <input type="submit" value="Upload" />

Validate Toke on Action of your controller

Use [ValidateAntiForgeryToken()] on your action.

I hope you liked this article and that it will help you out to make your application more secure .



This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Sarvesh Kushwaha
Software Developer
India India
I do believe life is to help others ... So here i am .. in my spare time i learn new things of programming and try to help people with my knowledge .
I'm an energetic, self-motivated and hard-working Developer and Information Technology Professional with experience in projects, website design and development.

Visit My Technical Blog

You may also be interested in...


Comments and Discussions

GeneralMy vote of 5 Pin
darkliahos23-Mar-16 6:14
memberdarkliahos23-Mar-16 6:14 
GeneralMy vote of 5 Pin
Humayun Kabir Mamun4-Jan-15 21:14
memberHumayun Kabir Mamun4-Jan-15 21:14 
GeneralRe: My vote of 5 Pin
Sarvesh Kushwaha4-Jan-15 23:45
memberSarvesh Kushwaha4-Jan-15 23:45 
GeneralClear one ! Pin
Senthilnathan Vaithi29-Dec-14 19:48
memberSenthilnathan Vaithi29-Dec-14 19:48 
GeneralRe: Clear one ! Pin
Sarvesh Kushwaha29-Dec-14 23:28
memberSarvesh Kushwaha29-Dec-14 23:28 
GeneralNice MY vote 5 Pin
Member 1100920112-Aug-14 17:55
memberMember 1100920112-Aug-14 17:55 
QuestionGood explanation Pin
KaushalJB23-May-14 0:55
professionalKaushalJB23-May-14 0:55 
GeneralRe: Good explanation Pin
Sarvesh Kushwaha25-May-14 18:48
memberSarvesh Kushwaha25-May-14 18:48 
GeneralMy vote of 5 Pin
ravithejag17-Apr-14 23:38
memberravithejag17-Apr-14 23:38 
GeneralRe: My vote of 5 Pin
Sarvesh Kushwaha17-Apr-14 23:39
memberSarvesh Kushwaha17-Apr-14 23:39 
QuestionWhere can I find the first 2 articles? Pin
jinksk15-Apr-14 8:39
memberjinksk15-Apr-14 8:39 
GeneralRe: Where can I find the first 2 articles? Pin
Sarvesh Kushwaha15-Apr-14 14:49
memberSarvesh Kushwaha15-Apr-14 14:49 
GeneralMy vote of 5 Pin
Carsten V2.013-Apr-14 5:22
memberCarsten V2.013-Apr-14 5:22 
GeneralRe: My vote of 5 Pin
Sarvesh Kushwaha13-Apr-14 11:30
memberSarvesh Kushwaha13-Apr-14 11:30 
GeneralMy vote of 5 Pin
Renju Vinod23-Jan-14 1:31
professionalRenju Vinod23-Jan-14 1:31 
GeneralRe: My vote of 5 Pin
Sarvesh Kushwaha29-Jan-14 18:49
memberSarvesh Kushwaha29-Jan-14 18:49 
GeneralMy vote of 5 Pin
Robert J. Good26-Nov-13 9:45
professionalRobert J. Good26-Nov-13 9:45 
GeneralRe: My vote of 5 Pin
Sarvesh Kushwaha26-Nov-13 17:36
memberSarvesh Kushwaha26-Nov-13 17:36 
QuestionHelpful article Pin
Gonzalo Brusella25-Nov-13 4:13
memberGonzalo Brusella25-Nov-13 4:13 
AnswerRe: Helpful article Pin
Sarvesh Kushwaha25-Nov-13 7:00
memberSarvesh Kushwaha25-Nov-13 7:00 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile
Web01 | 2.8.190525.1 | Last Updated 13 Apr 2014
Article Copyright 2014 by Sarvesh Kushwaha
Everything else Copyright © CodeProject, 1999-2019
Layout: fixed | fluid