[Owasp-leaders] CSRF Guidance at OWASP

johanna curiel curiel johanna.curiel at owasp.org
Sun May 22 19:34:03 UTC 2016


The ViewStateUserKey approach protects against One-Click Attacks. One-Click
Attack is sometimes incorrectly referred to as Microsoft's name for
Cross-Site Request Forgery. However, this is not entirely correct.
One-Click Attacks refer to a subset of CSRF attacks - one that use a
malicious ViewState to perform the request. Because web forms developed
with ASP.NET use ViewState for post-backs, an attacker can perform the
post-back they want the user to perform unknowingly, and record the
ViewState. Due to the way that ASP.NET ignores HTTP verbs when using
Request.Params versus Request.Form, and in web controls, this request can
often be made via GET.

For more
details please see Alex Smolen's blog entry
http://keepitlocked.net/archive/2008/05/29/viewstateuserkey-doesn-t-prevent-cross-site-request-forgery.aspx

On Sun, May 22, 2016 at 3:20 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Sorry, sent before I was finished
>
> Hi Jim
>
> Recently I  did a pen test where a .NET developer used the ViewState to
> avoid CRSF attacks
>
> When you create a PoC with Burp, the attack is still possible. Now, I'm
> quite unsure if the issue is:
>
> Burp/ZAP PoC CRSF form copy/paste the same 'ViewState' encoded code with
> the user session (which is what this does)
>
> But if an attacker generates a page for the victim to click , the
> ViewState will not be the same and therefore the attack will not work.
>
> ASP.NET <http://asp.net/> MVC offers the option to use anti-CRSF tokens
>
> http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages
>
>
> There are developers not using MVC but still could use CRSF token .NET
> libraries which is what I recommend.
> Last update of this opensorce project is from 2008 , which is quite
> outdated:
> Hi Jim
>
> Recently I  did a pen test where a .NET developer used the ViewState to
> avoid CRSF attacks
>
> When you create a PoC with Burp, the attack is still possible. Now, I'm
> quite unsure if the issue is:
>
> Burp/ZAP PoC CRSF form copy/paste the same 'ViewState' encoded code with
> the user session (which is what this does)
>
> But if an attacker generates a page for the victim to click , the
> ViewState will not be the same and therefore the attack will not work.
>
> ASP.NET <http://asp.net/> MVC offers the option to use anti-CRSF tokens
>
> http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages
>
>
> There are developers not using MVC but still could use CRSF token .NET
> libraries which is what I recommend.
> Last update of this opensorce project is from 2008 , which is quite
> updated:
> https://anticsrf.codeplex.com
>
> So I feel that .NET devs not using MVC and older version of the .NET
> framework < 4 are in disadvantage. The ViewState is also not the most
> reliable thing to use
>
> Anyone knows how to better method to  protect against CRSF attacks for
> .NET using < 4 and not MVC?
>
> Regards
>
> On Sun, May 22, 2016 at 3:15 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Jim
>>
>> Recently I  did a pen test where a .NET developer used the ViewState to
>> avoid CRSF attacks
>>
>> When you create a PoC with Burp, the attack is still possible. Now, I'm
>> quite unsure if the issue is:
>>
>> Burp/ZAP PoC CRSF form copy/paste the same 'ViewState' encoded code with
>> the user session (which is what this does)
>>
>> But if an attacker generates a page for the victim to click , the
>> ViewState will not be the same and therefore the attack will not work.
>>
>> ASP.NET MVC offers the option to use anti-CRSF tokens
>>
>> http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages
>>
>>
>> There are developers not using MVC but still could use CRSF token .NET
>> libraries which is what I recommend.
>> Last update of this opensorce project is from 2008 , which is quite
>> updated:
>>
>> On Sun, May 22, 2016 at 2:00 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> Folks,
>>>
>>> One of the older cheatsheets is the CSRF Cheatsheet (1.2+mil hits). Dave
>>> Wichers recently took a stab at a fairly major revision to account for
>>> modern defense strategies. Can you take a look and provide feedback if
>>> you have expertise in this area? This is a difficult topic to discuss
>>> concisely, IMO.
>>>
>>>
>>> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
>>>
>>> Thanks + Aloha, Jim
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>



-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160522/46c106dd/attachment.html>


More information about the OWASP-Leaders mailing list