[Owasp-leaders] CSRF Guidance at OWASP

johanna curiel curiel johanna.curiel at owasp.org
Sun May 22 19:20:57 UTC 2016


Sorry, sent before I was finished

Hi Jim

Recently I  did a pen test where a .NET developer used the ViewState to
avoid CRSF attacks

When you create a PoC with Burp, the attack is still possible. Now, I'm
quite unsure if the issue is:

Burp/ZAP PoC CRSF form copy/paste the same 'ViewState' encoded code with
the user session (which is what this does)

But if an attacker generates a page for the victim to click , the ViewState
will not be the same and therefore the attack will not work.

ASP.NET <http://asp.net/> MVC offers the option to use anti-CRSF tokens
http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages


There are developers not using MVC but still could use CRSF token .NET
libraries which is what I recommend.
Last update of this opensorce project is from 2008 , which is quite
outdated:
Hi Jim

Recently I  did a pen test where a .NET developer used the ViewState to
avoid CRSF attacks

When you create a PoC with Burp, the attack is still possible. Now, I'm
quite unsure if the issue is:

Burp/ZAP PoC CRSF form copy/paste the same 'ViewState' encoded code with
the user session (which is what this does)

But if an attacker generates a page for the victim to click , the ViewState
will not be the same and therefore the attack will not work.

ASP.NET <http://asp.net/> MVC offers the option to use anti-CRSF tokens
http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages


There are developers not using MVC but still could use CRSF token .NET
libraries which is what I recommend.
Last update of this opensorce project is from 2008 , which is quite updated:
https://anticsrf.codeplex.com

So I feel that .NET devs not using MVC and older version of the .NET
framework < 4 are in disadvantage. The ViewState is also not the most
reliable thing to use

Anyone knows how to better method to  protect against CRSF attacks for .NET
using < 4 and not MVC?

Regards

On Sun, May 22, 2016 at 3:15 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Jim
>
> Recently I  did a pen test where a .NET developer used the ViewState to
> avoid CRSF attacks
>
> When you create a PoC with Burp, the attack is still possible. Now, I'm
> quite unsure if the issue is:
>
> Burp/ZAP PoC CRSF form copy/paste the same 'ViewState' encoded code with
> the user session (which is what this does)
>
> But if an attacker generates a page for the victim to click , the
> ViewState will not be the same and therefore the attack will not work.
>
> ASP.NET MVC offers the option to use anti-CRSF tokens
>
> http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages
>
>
> There are developers not using MVC but still could use CRSF token .NET
> libraries which is what I recommend.
> Last update of this opensorce project is from 2008 , which is quite
> updated:
>
> On Sun, May 22, 2016 at 2:00 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Folks,
>>
>> One of the older cheatsheets is the CSRF Cheatsheet (1.2+mil hits). Dave
>> Wichers recently took a stab at a fairly major revision to account for
>> modern defense strategies. Can you take a look and provide feedback if
>> you have expertise in this area? This is a difficult topic to discuss
>> concisely, IMO.
>>
>>
>> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
>>
>> Thanks + Aloha, Jim
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>



-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160522/21123d54/attachment-0001.html>


More information about the OWASP-Leaders mailing list