Thursday, May 5, 2011

ASP.Net __VIEWSTATE/__EVENTVALIDATION | Does it prevent from CSRF?

Myth:

Some web application developers  mistakenly assume ASP.Net __VIEWSTATE/__EVENTVALIDATION can thwart CSRF attacks.


Fact

As far as we know, Microsoft didn't state __VIEWSTATE/__EVENTVALIDATION as CSRF defense when ASP.Net was introduced.


Proof-of-Concept

You can craft a valid CSRF exploit by getting known __VIEWSTATE value and __EVENTVALIDATION value that you can know by simply viewing HTML source.  Unless web application processes __EVENTTARGET and __EVENTARGUMENT, you can skip these parameters.

Keywords: ASP.Net, Cross Site Request Forgery, CSRF, XSRF


No comments:

Post a Comment

secure configurations for Laravel - The PHP Framework

This framework is makes security simple to achieve.  Out of all non-default settings, the little following can be set to achieve higher secu...