[Owasp-leaders] CSRF Guidance at OWASP

johanna curiel curiel johanna.curiel at owasp.org
Sun May 22 19:15:57 UTC 2016


Hi Jim

Recently I  did a pen test where a .NET developer used the ViewState to
avoid CRSF attacks

When you create a PoC with Burp, the attack is still possible. Now, I'm
quite unsure if the issue is:

Burp/ZAP PoC CRSF form copy/paste the same 'ViewState' encoded code with
the user session (which is what this does)

But if an attacker generates a page for the victim to click , the ViewState
will not be the same and therefore the attack will not work.

ASP.NET MVC offers the option to use anti-CRSF tokens
http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages


There are developers not using MVC but still could use CRSF token .NET
libraries which is what I recommend.
Last update of this opensorce project is from 2008 , which is quite updated:

On Sun, May 22, 2016 at 2:00 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Folks,
>
> One of the older cheatsheets is the CSRF Cheatsheet (1.2+mil hits). Dave
> Wichers recently took a stab at a fairly major revision to account for
> modern defense strategies. Can you take a look and provide feedback if
> you have expertise in this area? This is a difficult topic to discuss
> concisely, IMO.
>
>
> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
>
> Thanks + Aloha, Jim
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160522/2a2aee99/attachment.html>


More information about the OWASP-Leaders mailing list