I need to prevent Cross site request forgery (CSRF) attacks on my web application (.net version 3.5)) Please let me know a simple way to implement it. And I need to do it for every page in my application.
Note: I tried by setting enableViewStateMac = false in web.config and asigning a unique value to "ViewStateUserKey" in page OnInit. But later we decided not go with this solution, as setting "enableViewStateMac = false" itself in production environment is
a security flaw.
You can do using Referal URL, when request come in any page you will get Referal URL check weather URL is of Same domain or not if it is of different doamin, you can redirect to some page where can have error page.
let me know if any query
Thanks,
Gaurav Dhol
Skype ID : dhol.gaurav
If My Post contains helped you, Please Mark as Answer
Thank you very much for reply. I wil try your solution now. But in the mean time please let me are
you refferring to "Request.UrlReferrer". Do I need to check Request.UrlReferrer against domain name ?
I know Referrer is not perfect. I thought of using library given in http://anticsrf.codeplex.com/, but as per my company policies I am not supposed to user third party dll's unless we buy license or we need to have code of that dll. So can please let me
know whether code is available for library given in http://anticsrf.codeplex.com/.
harshaprakas...
Member
13 Points
87 Posts
How to prevent Cross site request forgery attacks
Nov 07, 2012 03:41 AM|LINK
Hi,
I need to prevent Cross site request forgery (CSRF) attacks on my web application (.net version 3.5)) Please let me know a simple way to implement it. And I need to do it for every page in my application.
Note: I tried by setting enableViewStateMac = false in web.config and asigning a unique value to "ViewStateUserKey" in page OnInit. But later we decided not go with this solution, as setting "enableViewStateMac = false" itself in production environment is a security flaw.
Harsha.
dhol.gaurav
Contributor
3998 Points
725 Posts
Re: How to prevent Cross site request forgery attacks
Nov 07, 2012 05:07 AM|LINK
Hey,
You can do using Referal URL, when request come in any page you will get Referal URL check weather URL is of Same domain or not if it is of different doamin, you can redirect to some page where can have error page.
let me know if any query
Gaurav Dhol
Skype ID : dhol.gaurav
If My Post contains helped you, Please Mark as Answer
harshaprakas...
Member
13 Points
87 Posts
Re: How to prevent Cross site request forgery attacks
Nov 07, 2012 06:18 AM|LINK
Hi Gaurav,
Thank you very much for reply. I wil try your solution now. But in the mean time please let me are
you refferring to "Request.UrlReferrer". Do I need to check Request.UrlReferrer against domain name ?
I will try this and let you know the results.
Harsha.
dhol.gaurav
Contributor
3998 Points
725 Posts
Re: How to prevent Cross site request forgery attacks
Nov 07, 2012 07:09 AM|LINK
Hey,
Yes, you have to check domain name into Request.UrlReferre
let me know if any query
Gaurav Dhol
Skype ID : dhol.gaurav
If My Post contains helped you, Please Mark as Answer
BrockAllen
All-Star
27530 Points
4905 Posts
MVP
Re: How to prevent Cross site request forgery attacks
Nov 07, 2012 01:33 PM|LINK
Referrer isn't perfect. And yes, you want enableViewStateMac to be enabled.
There's a library on codeplex that provides a better mechanism:
http://anticsrf.codeplex.com/
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
harshaprakas...
Member
13 Points
87 Posts
Re: How to prevent Cross site request forgery attacks
Nov 08, 2012 05:28 AM|LINK
Thanks you BrockAllen for your reply.
I know Referrer is not perfect. I thought of using library given in http://anticsrf.codeplex.com/, but as per my company policies I am not supposed to user third party dll's unless we buy license or we need to have code of that dll. So can please let me know whether code is available for library given in http://anticsrf.codeplex.com/.
harsha.
BrockAllen
All-Star
27530 Points
4905 Posts
MVP
Re: How to prevent Cross site request forgery attacks
Nov 08, 2012 01:58 PM|LINK
The code is right there on the link I gavce you:
http://anticsrf.codeplex.com/SourceControl/changeset/view/69709
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/