ASP.Net __VIEWSTATE/__EVENTVALIDATION | Does it prevent from CSRF?


Some web application developers  mistakenly assume ASP.Net __VIEWSTATE/__EVENTVALIDATION can thwart CSRF attacks.


As far as we know, Microsoft didn't state __VIEWSTATE/__EVENTVALIDATION as CSRF defense when ASP.Net was introduced.


You can craft a valid CSRF exploit by getting known __VIEWSTATE value and __EVENTVALIDATION value that you can know by simply viewing HTML source.  Unless web application processes __EVENTTARGET and __EVENTARGUMENT, you can skip these parameters.

Keywords: ASP.Net, Cross Site Request Forgery, CSRF, XSRF


Blair Strang said…
Right, but if you use ViewStateUserKey then it will be prevented...
d0ubl3_h3lix said…
Both ViewStateUserKey and AntiForgeryToken (ASP.NET MVC)can help.

Popular posts from this blog

XSS: Gaining access to HttpOnly Cookie in 2012

KingRoot: failure to root ASUS ZenFone 4 Max

HttpOnly Session ID in URL and Page Body | Cross Site Scripting