I have a vs2013 web app and I am trying to add csrf protection.
I tried inserting the following code to the MasterPage:
protectedvoid Page_Init(object sender, EventArgs e)
{
// The code below helps to protect against XSRF attacksvar requestCookie = Request.Cookies[AntiXsrfTokenKey];
Guid requestCookieGuidValue;
if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
{
// Use the Anti-XSRF token from the cookie
_antiXsrfTokenValue = requestCookie.Value;
Page.ViewStateUserKey = _antiXsrfTokenValue;
}
else
{
// Generate a new Anti-XSRF token and save to the cookie
_antiXsrfTokenValue = Guid.NewGuid().ToString("N");
Page.ViewStateUserKey = _antiXsrfTokenValue;
var responseCookie = newHttpCookie(AntiXsrfTokenKey)
{
HttpOnly = true,
Value = _antiXsrfTokenValue
};
if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)
{
responseCookie.Secure = true;
}
Response.Cookies.Set(responseCookie);
}
Page.PreLoad += master_Page_PreLoad;
}
protectedvoid master_Page_PreLoad(object sender, EventArgs e)
{
if (!IsPostBack)
{
// Set Anti-XSRF token
ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty;
}
else
{
// Validate the Anti-XSRF tokenif ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
|| (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))
{
thrownewInvalidOperationException("Validation of Anti-XSRF token failed.");
}
}
}
In addition, the application also has a page that is not a content page and it can be opened from one of the content pages using <a> tag (example_Form.aspx).
I added the following code to the example_Form.aspx:
////anti forgery variablesprivateconststring AntiXsrfTokenKey = "__AntiXsrfToken";
privateconststring AntiXsrfUserNameKey = "__AntiXsrfUserName";
privatestring _antiXsrfTokenValue;
protectedvoid Page_Init(object sender, EventArgs e)
{
// The code below helps to protect against XSRF attacksvar requestCookie = Request.Cookies[AntiXsrfTokenKey];
Guid requestCookieGuidValue;
if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
{
// Use the Anti-XSRF token from the cookie
_antiXsrfTokenValue = requestCookie.Value;
Page.ViewStateUserKey = _antiXsrfTokenValue;
}
else
{
// Generate a new Anti-XSRF token and save to the cookie
_antiXsrfTokenValue = Guid.NewGuid().ToString("N");
Page.ViewStateUserKey = _antiXsrfTokenValue;
var responseCookie = newHttpCookie(AntiXsrfTokenKey)
{
HttpOnly = true,
Value = _antiXsrfTokenValue
};
if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)
{
responseCookie.Secure = true;
}
Response.Cookies.Set(responseCookie);
}
Page.PreLoad += master_Page_PreLoad;
}
protectedvoid master_Page_PreLoad(object sender, EventArgs e)
{
if (!IsPostBack)
{
// Set Anti-XSRF token
ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty;
}
else
{
// Validate the Anti-XSRF tokenif ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
|| (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))
{
thrownewInvalidOperationException("Validation of Anti-XSRF token failed.");
}
}
}
Do I also need to add a hidden field to the content page?
To test my code I wrote the following HTML to try and hack my app:
I logged in to my example.com application and then I opened the HTML code located on my computer. I clicked the submit button and I managed to save a new record using the form.
What am I missing? What am I doing wrong?
I tried running the html code while directing the form action to my localhost, while debugging, and I could see that the HTML file has no problem running server side script. The token is the same. a new Anti-XSRF token is never created.
Thanks for the links but I still can't find the answers to my questions.
Can you maybe relate to my questions regarding my code? Is there something I am missing? The code I added is what comes with the Master page template in VS2013, so I just need to make sure I am testing it right.
Member
53 Points
275 Posts
CSRF in a web app
Aug 27, 2018 02:05 PM|qsoft_developer|LINK
Hi,
I have a vs2013 web app and I am trying to add csrf protection.
I tried inserting the following code to the MasterPage:
In addition, the application also has a page that is not a content page and it can be opened from one of the content pages using <a> tag (example_Form.aspx).
I added the following code to the example_Form.aspx:
Do I also need to add a hidden field to the content page?
To test my code I wrote the following HTML to try and hack my app:
I logged in to my example.com application and then I opened the HTML code located on my computer. I clicked the submit button and I managed to save a new record using the form.
What am I missing? What am I doing wrong?
I tried running the html code while directing the form action to my localhost, while debugging, and I could see that the HTML file has no problem running server side script. The token is the same. a new Anti-XSRF token is never created.
I would really appreciate your help.
All-Star
53131 Points
23682 Posts
Re: CSRF in a web app
Aug 27, 2018 03:14 PM|mgebhard|LINK
See the following.
https://haacked.com/archive/2009/04/02/csrf-webforms.aspx/
https://msdn.microsoft.com/en-us/library/ms972969.aspx
Member
53 Points
275 Posts
Re: CSRF in a web app
Aug 29, 2018 06:12 AM|qsoft_developer|LINK
Hi,
Thanks for the links but I still can't find the answers to my questions.
Can you maybe relate to my questions regarding my code? Is there something I am missing? The code I added is what comes with the Master page template in VS2013, so I just need to make sure I am testing it right.