[WEB SECURITY] CSRF remedies in

Ragan, Rob R rob.ragan at hp.com
Thu Jan 15 11:32:03 EST 2009

Most of us probably don't know that ViewStateUserKey won't always protect<http://keepitlocked.net/archive/2008/05/29/viewstateuserkey-doesn-t-prevent-cross-site-request-forgery.aspx> ASP.NET applications from CSRF attacks. It doesn't work if a GET request is being used or if the ViewState MAC is disabled. When passing values using Request.Params<http://msdn.microsoft.com/en-us/library/system.web.httprequest.params.aspx> ASP.NET doesn't care what HTTP verb<http://www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf> is being used. This means a GET could be substituted for a POST. If the page is not a post-back the ViewState MAC is never checked. Microsoft's designation for CSRF attacks that use ViewState is One-Click attack<http://msdn.microsoft.com/en-us/library/ms972969.aspx#securitybarriers_topic2>. The moral of the story is don't rely on ViewStateUserKey to protect you from CSRF, instead use it along with something like http://www.owasp.org/index.php/.Net_CSRF_Guard


P.S. http://hackademix.net/2008/12/20/introducing-abe/ is an interesting CSRF protection mechanism that lives in the browser.

From: Eric Rachner [mailto:eric at rachner.us]
Sent: Wednesday, January 14, 2009 7:30 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] CSRF remedies in

As most of us know, ASP.NET<http://ASP.NET> provides the ViewStateUserKey<http://msdn.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx> feature to mitigate CSRF attacks.  But as a primarily Microsoft-oriented guy, I'm not personally aware of any equivalent solutions for use in other environments, J2EE in particular, except of course for CSRFGuard<http://www.owasp.org/index.php/CSRF_Guard>.

Does anyone happen to know whether any web app development platforms other than .NET provide CSRF mitigations like ViewStateUserKey?

Much obliged,

- Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090115/d7b5cb9d/attachment.html>

More information about the websecurity mailing list