Quantcast
Channel: AntiCSRF
Viewing all 34 articles
Browse latest View live

Updated Wiki: Home

August 18, 2009, 4:47 am
$
0
0

AntiCSRF - A Cross Site Request Forgery (CSRF) module for ASP.NET

Description

AntiCSRF makes it easier for ASP.NET developers to guard themselves against Cross Site Request Forgery. You'll no longer have to manually add and check protection tokens to protected yourself against CSRF attacks.

AntiCSRF developed in C#.

Notes

The normal recommended way of adding a CSRF token to an ASP.NET application is to use ViewState in combination with a ViewStateUserKey. This requires ViewState to be enabled and an application to have some way of identifying a user uniquely, usually via a SessionID which in turn requires session state to be enabled. AntiCSRF does not have these requirements; instead if requires cookies to be enabled on the user's browser and uses a temporary cookie, cleared when the browser is closed, to identify a user and a hidden form field to carry the CSRF token.

The ViewStateUserKey approach protects against One-Click Attacks. One-Click Attack is sometimes incorrectly referred to as Microsoft's name for Cross-Site Request Forgery. However, this is not entirely correct. One-Click Attacks refer to a subset of CSRF attacks - one that use a malicious ViewState to perform the request. Because web forms developed with ASP.NET use ViewState for post-backs, an attacker can perform the post-back they want the user to perform unknowingly, and record the ViewState. Due to the way that ASP.NET ignores HTTP verbs when using Request.Params versus Request.Form, and in web controls, this request can often be made via GET. For more
details please see Alex Smolen's blog entry http://keepitlocked.net/archive/2008/05/29/viewstateuserkey-doesn-t-prevent-cross-site-request-forgery.aspx

Usage instructions

  • Add a reference the AntiCSRF assembly, or copy the assembly to your web applications BIN folder.
  • Add a reference to the module into your web.config;
    • For IIS6/IIS7 in Classic ASP.NET mode
<system.web>
  ....
  <httpModules>
    <add name="AntiCSRF" type="Idunno.AntiCsrf.AntiCsrfModule, Idunno.AntiCsrf"/>
  </httpModules>
  ....
</system.web>
** For IIS7 in integrated pipeline mode
<system.webmodules>
  ....
  <modules>
    <add name="AntiCSRF" type="Idunno.AntiCsrf.AntiCsrfModule, Idunno.AntiCsrf"/>
  </modules>
  ....
</system.webmodules>
* Optout any pages you do not want protected by adding the Idunno.AntiCsrf.SuppressCsrfCheck attribute to their declarations, for example
[Idunno.AntiCsrf.SuppressCsrfCheck]
public partial class unprotectedPage : System.Web.UI.Page
* For pages without a CodeBehind class you can optout by implementing the Idunno.AntiCsrf.ISuppressCsrfCheck interface, for example
<%@ Page Language="C#" EnableViewState="false" %>
<%@ Implements Interface="Idunno.AntiCsrf.ISuppressCsrfCheck" %>
!! Configuration
The module supports configuration via web.config. In order to utilise the configuration options you must first add a custom configuration section to your web.config
<configuration>
    ....
    <configSections>
        ....
        <section name="csrfSettings"  type="Idunno.AntiCsrf.Configuration.CsrfSettings, Idunno.AntiCsrf" />   
        ....
    </configSections>
</configuration>
Then create a configuration section in your web.config
<configuration>
    ....
    <csrfSettings cookieName="__CSRFCOOKIE" formFieldName="__CSRFTOKEN" detectionResult="RaiseException" errorPage="" />
</configuration>
The configuration options are as follows
Name Purpose
cookieName specifies the name of the cookie used to hold the anti-CSRF token. This defaults to CSRFCOOKIE.
formfieldName specifies the name of the form field used to hold the anti-CSRF token This defatults to CSRFTOKEN.
detectionResult this may be either RaiseException, which throws exceptions on a potential CSRF attack or Redirect which will redirect to the URL specified in the errorPage setting. You must set a URL in the errorPage setting if you choose Redirect. This defaults to RaiseException.
errorPage a page name to redirect to if the detectionResult is set to Redirect.

Limitations

  • You, the developer, must ensure your GET requests are idempotent (i.e. the side-effects of multiple identical requests are the same as for a single request). GET requests are not protected with this module. See http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2.
  • Non-ASP.NET forms are not protected with this module.

Disclaimer

  • This software is provided "as-is". You bear the risk of using it. The contributors give no express warranties, guarantees or conditions. Like any security software this should become part of your defence in depth strategy and should not be solely relied upon for protection.
Search

Updated Wiki: Home

August 18, 2009, 10:17 am
$
0
0

AntiCSRF - A Cross Site Request Forgery (CSRF) module for ASP.NET

Description

AntiCSRF makes it easier for ASP.NET developers to guard themselves against Cross Site Request Forgery. You'll no longer have to manually add and check protection tokens to protected yourself against CSRF attacks.

AntiCSRF developed in C#.

Notes

The normal recommended way of adding a CSRF token to an ASP.NET application is to use ViewState in combination with a ViewStateUserKey. This requires ViewState to be enabled and an application to have some way of identifying a user uniquely, usually via a SessionID which in turn requires session state to be enabled. AntiCSRF does not have these requirements; instead if requires cookies to be enabled on the user's browser and uses a temporary cookie, cleared when the browser is closed, to identify a user and a hidden form field to carry the CSRF token.

The ViewStateUserKey approach protects against One-Click Attacks. One-Click Attack is sometimes incorrectly referred to as Microsoft's name for Cross-Site Request Forgery. However, this is not entirely correct. One-Click Attacks refer to a subset of CSRF attacks - one that use a malicious ViewState to perform the request. Because web forms developed with ASP.NET use ViewState for post-backs, an attacker can perform the post-back they want the user to perform unknowingly, and record the ViewState. Due to the way that ASP.NET ignores HTTP verbs when using Request.Params versus Request.Form, and in web controls, this request can often be made via GET. For more
details please see Alex Smolen's blog entry http://keepitlocked.net/archive/2008/05/29/viewstateuserkey-doesn-t-prevent-cross-site-request-forgery.aspx

Usage instructions

  • Add a reference the AntiCSRF assembly, or copy the assembly to your web applications BIN folder.
  • Add a reference to the module into your web.config;
    • For IIS6/IIS7 in Classic ASP.NET mode
<system.web>
  ....
  <httpModules>
    <add name="AntiCSRF" type="Idunno.AntiCsrf.AntiCsrfModule, Idunno.AntiCsrf"/>
  </httpModules>
  ....
</system.web>
  • For IIS7 in integrated pipeline mode
<system.webmodules>
  ....
  <modules>
    <add name="AntiCSRF" type="Idunno.AntiCsrf.AntiCsrfModule, Idunno.AntiCsrf"/>
  </modules>
  ....
</system.webmodules>

[Idunno.AntiCsrf.SuppressCsrfCheck]
public partial class unprotectedPage : System.Web.UI.Page
  • For pages without a CodeBehind class you can optout by implementing the Idunno.AntiCsrf.ISuppressCsrfCheck interface, for example
<%@ Page Language="C#" EnableViewState="false" %>
<%@ Implements Interface="Idunno.AntiCsrf.ISuppressCsrfCheck" %>

Configuration

The module supports configuration via web.config. In order to utilise the configuration options you must first add a custom configuration section to your web.config
<configuration>
    ....
    <configSections>
        ....
        <section name="csrfSettings"  type="Idunno.AntiCsrf.Configuration.CsrfSettings, Idunno.AntiCsrf" />   
        ....
    </configSections>
</configuration>

Then create a configuration section in your web.config
<configuration>
    ....
    <csrfSettings cookieName="__CSRFCOOKIE" formFieldName="__CSRFTOKEN" detectionResult="RaiseException" errorPage="" />
</configuration>

The configuration options are as follows
Name Purpose
cookieName specifies the name of the cookie used to hold the anti-CSRF token. This defaults to CSRFCOOKIE.
formfieldName specifies the name of the form field used to hold the anti-CSRF token This defatults to CSRFTOKEN.
detectionResult this may be either RaiseException, which throws exceptions on a potential CSRF attack or Redirect which will redirect to the URL specified in the errorPage setting. You must set a URL in the errorPage setting if you choose Redirect. This defaults to RaiseException.
errorPage a page name to redirect to if the detectionResult is set to Redirect.

Limitations

  • You, the developer, must ensure your GET requests are idempotent (i.e. the side-effects of multiple identical requests are the same as for a single request). GET requests are not protected with this module. See http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.2.
  • Non-ASP.NET forms are not protected with this module.

Disclaimer

  • This software is provided "as-is". You bear the risk of using it. The contributors give no express warranties, guarantees or conditions. Like any security software this should become part of your defence in depth strategy and should not be solely relied upon for protection.

Created Issue: Module does not protect against forged post-backs using HTTP verbs other than GET. [14105]

September 10, 2009, 7:05 am
$
0
0
The AntiCsrfModule.PageLoad method contains logic to verify that post-backs are not being submitted as HTTP GET requests. The logic of this method currently uses an opt-out approach, only raising an exception when a post-back occurs as the result of a GET request. This opt-out approach allows forged post-back requests that use HTTP verbs other than GET (for instance, HEAD).

Although the attack vector surfaced by this issue is admittedly small, the fix for the issue appears to be inconsequential. By changing the logic of the conditional in the method to read as follows, the loophole of non-GET HTTP verbs is closed:

if (page.IsPostBack && !page.Request.HttpMethod.Equals("POST"))

Created Issue: Error: CSRF form tag missing When using JQuery AJAX Post [15125]

November 30, 2009, 11:14 pm
$
0
0
How should i use this AntiCSRF for JQuery AJAX post? It is throwing "CSRF form tag is missing". Any suggestion on how to use while work with JQuery AJAX?

Thanks!
Ashok

New Post: Error with POSTing to page different from GET page

December 16, 2009, 12:22 pm
$
0
0

I get the following error when the aspx page that receives the POST is different from the aspx page that reponds to the GET:

Could not find any resources appropriate for the specified culture or the neutral culture.  Make sure "Idunno.AntiCsrf.Properties.Resources.resources" was correctly embedded or linked into assembly "Idunno.AntiCSRF" at compile time, or that all the satellite assemblies required are loadable and fully signed.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture.  Make sure "Idunno.AntiCsrf.Properties.Resources.resources" was correctly embedded or linked into assembly "Idunno.AntiCSRF" at compile time, or that all the satellite assemblies required are loadable and fully signed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace:

[MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture.  Make sure "Idunno.AntiCsrf.Properties.Resources.resources" was correctly embedded or linked into assembly "Idunno.AntiCSRF" at compile time, or that all the satellite assemblies required are loadable and fully signed.]
   System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents) +7676578
   System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents) +583
   System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents) +583
   System.Resources.ResourceManager.GetString(String name, CultureInfo culture) +74
   Idunno.AntiCsrf.Properties.Resources.get_exceptionMessageFormFieldMissing() +27
   Idunno.AntiCsrf.AntiCsrfModule.PreRequestHandlerExecute(Object source, EventArgs eventArgs) +640
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +68
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75


Version Information: Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.3053

<!-- [MissingManifestResourceException]: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "Idunno.AntiCsrf.Properties.Resources.resources" was correctly embedded or linked into assembly "Idunno.AntiCSRF" at compile time, or that all the satellite assemblies required are loadable and fully signed. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents) at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents) at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents) at System.Resources.ResourceManager.GetString(String name, CultureInfo culture) at Idunno.AntiCsrf.Properties.Resources.get_exceptionMessageFormFieldMissing() at Idunno.AntiCsrf.AntiCsrfModule.PreRequestHandlerExecute(Object source, EventArgs eventArgs) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) --><!-- This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using <customErrors mode="Off"/>. Consider using <customErrors mode="On"/> or <customErrors mode="RemoteOnly"/> in production environments.-->

New Post: Please help me figure out why I'm getting "Could not find any resources appropriate .." err

December 16, 2009, 3:44 pm
$
0
0

You're not the first person to see this, and I can't reproduce it myself.

Could you download the source and in the assemblyinfo.cs file remove the following two lines and let me know if that solves it?

[assembly: AssemblyCulture("")]
[assembly: NeutralResourcesLanguageAttribute("en")]

New Post: Please help me figure out why I'm getting "Could not find any resources appropriate .." err

February 5, 2010, 4:14 pm
$
0
0

Hi

I have this issue and I try setting culture features in my project, but i can't do it, because mi c# programming skill is very basic.

So I download the source AntiCSRF-35092.zip and recompile Releases\0.9.1 Beta source.

Later I remove the original DLL Idunno.AntiCsrf.dll from my project and copy the new DLL resulted from recompilated source with this lines removed from assemblyinfo.cs: 

[assembly: AssemblyCulture("")]
[assembly: NeutralResourcesLanguageAttribute("en")]

The aplication works fine!!! My web.config just redirect to html page in csrf attack detected, so I will try the detectionResult="RaiseException" feature for logging this atacks.

I hope this info result useful for somebody.

See you!

Source code checked in, #52373

July 28, 2010, 10:08 am
Search

Commented Issue: Error running under non English culture [13582]

April 11, 2011, 6:08 am
$
0
0
when i try to run inside the developmetn server this page showed instead the the exception page.: What this error means n how to solved it, since i already follow the readme file?

Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "Idunno.AntiCsrf.Properties.Resources.resources" was correctly embedded or linked into assembly "Idunno.AntiCSRF" at compile time, or that all the satellite assemblies required are loadable and fully signed.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "Idunno.AntiCsrf.Properties.Resources.resources" was correctly embedded or linked into assembly "Idunno.AntiCSRF" at compile time, or that all the satellite assemblies required are loadable and fully signed.Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "Idunno.AntiCsrf.Properties.Resources.resources" was correctly embedded or linked into assembly "Idunno.AntiCSRF" at compile time, or that all the satellite assemblies required are loadable and fully signed.]
System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents) +655
System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents) +681
System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents) +681
System.Resources.ResourceManager.GetString(String name, CultureInfo culture) +77
Idunno.AntiCsrf.AntiCsrfModule.PreRequestHandlerExecute(Object source, EventArgs eventArgs) +626
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +92
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64
Comments: ** Comment from web user: guybartal **

hi,

i've encountered the same unhandled exception in hebrew.

Reviewed: 0.9.1 Beta (apr 20, 2011)

April 20, 2011, 2:55 am
$
0
0
Rated 5 Stars (out of 5) - Excellent library! This sort of stuff is really hard to get right yourself.

Commented Issue: Error: CSRF form tag missing When using JQuery AJAX Post [15125]

June 1, 2011, 6:35 pm
$
0
0
How should i use this AntiCSRF for JQuery AJAX post? It is throwing "CSRF form tag is missing". Any suggestion on how to use while work with JQuery AJAX?

Thanks!
Ashok
Comments: ** Comment from web user: petekcchen **

Hi Ashok,
Have you tried to post the data with the CSRF token in the hidden filed to see if it works?

Created Issue: 'CSRF form field is missing' exception thrown when using Server.Transfer to redirect pages [20894]

June 1, 2011, 6:38 pm
$
0
0
When I try to redirect a certain page using ‘Server.Transfer’, this causes an exception saying ‘CSRF form field is missing’. Instead, the page can be redirected successfully using ‘Response.Redirect’. Any idea?

New Post: AntiCSRF for .NET 1.1

November 14, 2011, 7:25 pm
$
0
0

Hi,

The AntiCSRF 0.9.1 Beta is for .NET 2.0?

How about .NET 1.1?

 

Thanks!

 

New Post: JSON

July 23, 2012, 8:13 pm
$
0
0

Hi, I'm wondering if this AntiCSRF module protects JSON web methods. I realize CORS would prevent json requests to some degree, but you can make a json request with a content type of application/x-www-form-urlencoded, how would I protect from such a request without utilizing MVC.

Commented Issue: Module does not protect against forged post-backs using HTTP verbs other than GET. [14105]

September 28, 2012, 9:19 am
$
0
0
The AntiCsrfModule.PageLoad method contains logic to verify that post-backs are not being submitted as HTTP GET requests. The logic of this method currently uses an opt-out approach, only raising an exception when a post-back occurs as the result of a GET request. This opt-out approach allows forged post-back requests that use HTTP verbs other than GET (for instance, HEAD).

Although the attack vector surfaced by this issue is admittedly small, the fix for the issue appears to be inconsequential. By changing the logic of the conditional in the method to read as follows, the loophole of non-GET HTTP verbs is closed:

if (page.IsPostBack && !page.Request.HttpMethod.Equals("POST"))
Comments: ** Comment from web user: legeox **

The change shown in the description is prety easy to be done and should fix the issue.

Search

Source code checked in, #69708

October 1, 2012, 3:06 pm

Source code checked in, #69709

October 1, 2012, 3:10 pm
$
0
0
Upgrade: New Version of LabDefaultTemplate.xaml. To upgrade your build definitions, please visit the following link: http://go.microsoft.com/fwlink/?LinkId=254563

Reviewed: 0.9.1 Beta (Oct 22, 2012)

October 22, 2012, 6:44 am
$
0
0
Rated 2 Stars (out of 5) - I'm surprised to be able to submit with sucess a forum where I've deleted the CSRFTOKEN value... Is that an expected behaviour ?

Reviewed: 0.9.1 Beta (Oct 22, 2012)

October 22, 2012, 6:45 am
$
0
0
Rated 2 Stars (out of 5) - I'm surprised to be able to submit with success a forum where I've deleted the CSRFTOKEN value... Is that an expected behaviour ?

New Post: Re: Getting error : No CSRF cookie supplied and CSRF form field is missing.

November 1, 2012, 1:13 am
$
0
0

Hi,

I am getting following error after adding anticsrf dll and necessery code in web.config file. 

 

Server Error in '/Code' Application.

No CSRF cookie supplied and CSRF form field is missing.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: Idunno.AntiCsrf.PotentialCsrfException: No CSRF cookie supplied and CSRF form field is missing.

Source Error: 

Line 283:            {
Line 284:                // Whilst this does lose the stack, that's not really a bad thing here as the exception message is detailed enough.Line 285:                throw ex;Line 286:            }
Line 287:        }


Source File: C:\Users\vin\Desktop\anticsrf-69709\Trunk\idunno.AntiCSRF\AntiCsrfModule.cs    Line: 285 

Stack Trace: 

[PotentialCsrfException: No CSRF cookie supplied and CSRF form field is missing.]
   Idunno.AntiCsrf.AntiCsrfModule.RaiseError(Exception ex, HttpContext context) in C:\Users\vin\Desktop\anticsrf-69709\Trunk\idunno.AntiCSRF\AntiCsrfModule.cs:285
   Idunno.AntiCsrf.AntiCsrfModule.PreRequestHandlerExecute(Object source, EventArgs eventArgs) in C:\Users\vin\Desktop\anticsrf-69709\Trunk\idunno.AntiCSRF\AntiCsrfModule.cs:140
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +216
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +120


Version Information: Microsoft .NET Framework Version:2.0.50727.4952; ASP.NET Version:2.0.50727.4955

 

Pls help.

-

Thanks,

Vinay

Viewing all 34 articles
Browse latest View live
Search