And the recommandation you saw is ? Testing a value against itself doesn't make sense. You want to test the referer instead ? I believe you want rather :
Generally speaking , we normally use csrf token to prevent csrf attack.
Below is a simple sample of how to implement it in web form.
Generate a cookie whose value is guid, when is not postback , set the value in viewstate , when is postback , check whether the request contains the guid to prevent request from other website.
private const string AntiXsrfTokenKey = "__AntiXsrfToken";
private string _antiXsrfTokenValue;
protected void Page_Init(object sender, EventArgs e)
{
// set csrf token key through cookie
if( Request.Cookies[AntiXsrfTokenKey] == null)
{
_antiXsrfTokenValue = new Guid().ToString("N");
HttpCookie cookie = new HttpCookie(AntiXsrfTokenKey)
{
Value = _antiXsrfTokenValue,
HttpOnly = true // prevent other website to read the token
};
Response.SetCookie(cookie);
}
else
{
_antiXsrfTokenValue = Request.Cookies[AntiXsrfTokenKey].Value;
}
Page.PreLoad += master_Page_PreLoad;
}
protected void master_Page_PreLoad(object sender, EventArgs e)
{
if (!IsPostBack)
{
// set view state if it is not post back
ViewState[AntiXsrfTokenKey] = _antiXsrfTokenValue;
}
else
{
// when posting back, check the token , if failed , maybe this is a request from other website
if (ViewState[AntiXsrfTokenKey] == null || ViewState[AntiXsrfTokenKey].ToString()!=_antiXsrfTokenValue) {
throw new InvalidOperationException("may be a csrf attack");
}
}
}
For a full guide , you could refer to the link below.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
The alternative approach is to use asp-antiforgery Tag Helper to prevent cross-site request forgery (CSRF).
Helping you always. Don't forget to click "Mark as Answer" on the post that helped you.
♠ ASP.NET Core Tutorials → Start from the Beginning and become an Expert in 30 days time ♠
None
0 Points
25 Posts
how to avaoid the CSRF attack in ASP.net application
May 13, 2019 12:05 PM|uid586769|LINK
Hi Team,
I am working to resolve CSRF attacks and how to fix using custom header- "X-Requested-With" having its value. OR the following way also
System.Web.HttpContext.Current.Request.UrlReferrer != null || System.Web.HttpContext.Current.Request.Url.Host == System.Web.HttpContext.Current.Request.Url.Host))
will resolve ?
please let me know or any alternative approaches for asp.net application
Thanks
All-Star
48490 Points
18071 Posts
Re: how to avaoid the CSRF attack in ASP.net application
May 13, 2019 12:19 PM|PatriceSc|LINK
Hi,
And the recommandation you saw is ? Testing a value against itself doesn't make sense. You want to test the referer instead ? I believe you want rather :
You are using MVC ? A first step could be https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages if not done already.
None
0 Points
25 Posts
Re: how to avaoid the CSRF attack in ASP.net application
May 13, 2019 04:50 PM|uid586769|LINK
Thanks PatriceSC,
I would like to implement in ASP.net application and like to implement the cross site request forgery protection.
let me know above statement is enough to validate the page or it requires more.
Thanks
All-Star
52971 Points
23573 Posts
Re: how to avaoid the CSRF attack in ASP.net application
May 13, 2019 05:50 PM|mgebhard|LINK
Please see the reference documentation.
https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks
Contributor
3500 Points
1300 Posts
Re: how to avaoid the CSRF attack in ASP.net application
May 14, 2019 02:16 AM|Ackerly Xu|LINK
Hi srinisrinivas,
Generally speaking , we normally use csrf token to prevent csrf attack.
Below is a simple sample of how to implement it in web form.
Generate a cookie whose value is guid, when is not postback , set the value in viewstate , when is postback , check whether the request contains the guid to prevent request from other website.
private const string AntiXsrfTokenKey = "__AntiXsrfToken"; private string _antiXsrfTokenValue; protected void Page_Init(object sender, EventArgs e) { // set csrf token key through cookie if( Request.Cookies[AntiXsrfTokenKey] == null) { _antiXsrfTokenValue = new Guid().ToString("N"); HttpCookie cookie = new HttpCookie(AntiXsrfTokenKey) { Value = _antiXsrfTokenValue, HttpOnly = true // prevent other website to read the token }; Response.SetCookie(cookie); } else { _antiXsrfTokenValue = Request.Cookies[AntiXsrfTokenKey].Value; } Page.PreLoad += master_Page_PreLoad; } protected void master_Page_PreLoad(object sender, EventArgs e) { if (!IsPostBack) { // set view state if it is not post back ViewState[AntiXsrfTokenKey] = _antiXsrfTokenValue; } else { // when posting back, check the token , if failed , maybe this is a request from other website if (ViewState[AntiXsrfTokenKey] == null || ViewState[AntiXsrfTokenKey].ToString()!=_antiXsrfTokenValue) { throw new InvalidOperationException("may be a csrf attack"); } } }For a full guide , you could refer to the link below.
https://security.stackexchange.com/questions/187740/two-solutions-for-csrf-on-owasp-for-asp-net-webforms
If you are using mvc, you could use validateantiforgerytoken attribute
https://stackoverflow.com/questions/13621934/validateantiforgerytoken-purpose-explanation-and-example
Best regards,
Ackerly Xu
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
Participant
1253 Points
935 Posts
Re: how to avaoid the CSRF attack in ASP.net application
May 16, 2019 11:45 AM|yogyogi|LINK
The alternative approach is to use asp-antiforgery Tag Helper to prevent cross-site request forgery (CSRF).
♠ ASP.NET Core Tutorials → Start from the Beginning and become an Expert in 30 days time ♠