ASP.Net __VIEWSTATE/__EVENTVALIDATION | Does it prevent from CSRF?

Myth:

Some web application developers  mistakenly assume ASP.Net __VIEWSTATE/__EVENTVALIDATION can thwart CSRF attacks.


Fact

As far as we know, Microsoft didn't state __VIEWSTATE/__EVENTVALIDATION as CSRF defense when ASP.Net was introduced.


Proof-of-Concept

You can craft a valid CSRF exploit by getting known __VIEWSTATE value and __EVENTVALIDATION value that you can know by simply viewing HTML source.  Unless web application processes __EVENTTARGET and __EVENTARGUMENT, you can skip these parameters.

Keywords: ASP.Net, Cross Site Request Forgery, CSRF, XSRF


Comments

Popular posts from this blog

Bypassing referrer check with no script involved

Jumping out of Touch Screen Kiosks