Thursday, May 5, 2011

ASP.Net __VIEWSTATE/__EVENTVALIDATION | Does it prevent from CSRF?

Myth:

Some web application developers  mistakenly assume ASP.Net __VIEWSTATE/__EVENTVALIDATION can thwart CSRF attacks.


Fact

As far as we know, Microsoft didn't state __VIEWSTATE/__EVENTVALIDATION as CSRF defense when ASP.Net was introduced.


Proof-of-Concept

You can craft a valid CSRF exploit by getting known __VIEWSTATE value and __EVENTVALIDATION value that you can know by simply viewing HTML source.  Unless web application processes __EVENTTARGET and __EVENTARGUMENT, you can skip these parameters.

Keywords: ASP.Net, Cross Site Request Forgery, CSRF, XSRF


2 comments:

Blair Strang said...

Right, but if you use ViewStateUserKey then it will be prevented...

d0ubl3_h3lix said...

Both ViewStateUserKey and AntiForgeryToken (ASP.NET MVC)can help.

Post a Comment