Question: CSRF and webform ASP.NET

Question

CSRF and webform ASP.NET

Answers 0
Added at 2016-12-22 07:12
Tags
Question

I have a form with 3 fields. start date, end date and status

Acunetix gives this error:

/activities.aspx
Form name: <empty>
Form action: http://localhost:54675/activities.aspx
Form method: GET
Form inputs:
- ctl00$ContentPlaceHolder1$ddlSearch_Status [Select]
- ctl00$ContentPlaceHolder1$ddlSearch_Status [Select]
GET /Activities.aspx HTTP/1.1
Request headers
Acunetix Website Audit 30
Referer: http://localhost:54675/UserLogin.aspx
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Cookie: ASP.NET_SessionId=m4phtctwpoaismjndfzpoapb
Host: localhost:54675

I have implemented this in the master page code behind:

    private const string AntiXsrfTokenKey = "__AntiXsrfToken";
    private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
    private string _antiXsrfTokenValue;

    protected void Page_Init(object sender, EventArgs e)
    {
        var requestCookie = Request.Cookies[AntiXsrfTokenKey];
        Guid requestCookieGuidValue;

        if (requestCookie != null
        && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
        {
            _antiXsrfTokenValue = requestCookie.Value;

            Page.ViewStateUserKey = _antiXsrfTokenValue;
        }
        else
        {
            _antiXsrfTokenValue = Guid.NewGuid().ToString("N");

            Page.ViewStateUserKey = _antiXsrfTokenValue;

            var responseCookie = new HttpCookie(AntiXsrfTokenKey)
            {
                HttpOnly = true,

                Value = _antiXsrfTokenValue
            };

            if (FormsAuthentication.RequireSSL &&
            Request.IsSecureConnection)
                responseCookie.Secure = true;

            Response.Cookies.Set(responseCookie);
        }

        Page.PreLoad += master_Page_PreLoad;
    }

    protected void master_Page_PreLoad(object sender, EventArgs e)
    {
        if (!IsPostBack)
        {
            ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;

            ViewState[AntiXsrfUserNameKey] =
            Context.User.Identity.Name ?? String.Empty;
        }
        else
        {
            if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
            || (string)ViewState[AntiXsrfUserNameKey] !=
            (Context.User.Identity.Name ?? String.Empty))
            {
                throw new InvalidOperationException("Validation of Anti-XSRF token failed.");
            }
        }
    }

What am I missing? and why it only give the error for the Status field (select)?

Answers to

CSRF and webform ASP.NET

Source Show
◀ Wstecz