Is there a way to check this? I’m using the .NET framework and want to understand more on how to protect from CSRF attacks.
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is there a way to check this? I’m using the .NET framework and want to understand more on how to protect from CSRF attacks.
Referrer checking alone won’t help you and it can bother users, so it’s better not to rely on it.
ASP.NET can help you mitigate CSRFs through the viewstate: every postback must include the viewstate, otherwise the framework will raise an exception, and since an attacker can’t read it (to read the viewstate he must fetch the page, and cross site AJAX requests are not allowed) the attack will fail.
However, as V4Vendetta pointed out the viewstate alone is not enough: if the page does not contain controls with unique-per-user content the viewstate will be the same for different user, so the attacker can simply submit his viewstate.
To prevent this you can place this code in every page you want to protect:
Setting the
Page.ViewStateUserKeywill create a unique viewstate for every user, defeating the copy/paste. Or you can use a dedicated module like this.