This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Anti CSRF Tokens ASP.NET"
m |
|||
| Line 19: | Line 19: | ||
==Related [[Attacks]]== | ==Related [[Attacks]]== | ||
| − | CSRF (Attack)[https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)] | + | CSRF (Attack)[https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)]<br> |
| − | CSRF (Full Wikipedia Article)[https://en.wikipedia.org/wiki/Cross-site_request_forgery] | + | CSRF (Full Wikipedia Article)[https://en.wikipedia.org/wiki/Cross-site_request_forgery]<br> |
XSS (Attack)[https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)] | XSS (Attack)[https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)] | ||
| Line 26: | Line 26: | ||
==Related [[Vulnerabilities]]== | ==Related [[Vulnerabilities]]== | ||
| − | XSS[https://www.owasp.org/index.php/Cross_Site_Scripting_Flaw] | + | XSS[https://www.owasp.org/index.php/Cross_Site_Scripting_Flaw]<br> |
| − | Insecure Randomness[https://www.owasp.org/index.php/Insecure_Randomness] | + | Insecure Randomness[https://www.owasp.org/index.php/Insecure_Randomness]<br> |
| − | Insecure Third-Party Domain Access[https://www.owasp.org/index.php/Insecure_Third_Party_Domain_Access] | + | Insecure Third-Party Domain Access[https://www.owasp.org/index.php/Insecure_Third_Party_Domain_Access]<br> |
Non-Cryptographic Pseudo-Random Number Generator[https://www.owasp.org/index.php/Non-cryptographic_pseudo-random_number_generator] | Non-Cryptographic Pseudo-Random Number Generator[https://www.owasp.org/index.php/Non-cryptographic_pseudo-random_number_generator] | ||
| Line 37: | Line 37: | ||
==Related [[Technical Impacts]]== | ==Related [[Technical Impacts]]== | ||
| − | Accountability[https://www.owasp.org/index.php/Loss_of_accountability] | + | Accountability[https://www.owasp.org/index.php/Loss_of_accountability]<br> |
Confidentiality[https://www.owasp.org/index.php/Loss_of_confidentiality] | Confidentiality[https://www.owasp.org/index.php/Loss_of_confidentiality] | ||
==References== | ==References== | ||
| − | CSRF Prevention (official ASP.NET blog)[http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages] | + | CSRF Prevention (official ASP.NET blog)[http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages]<br> |
Relevant Stack Overflow question[http://stackoverflow.com/questions/8253396/anti-csrf-cookie] | Relevant Stack Overflow question[http://stackoverflow.com/questions/8253396/anti-csrf-cookie] | ||
[[Category:OWASP .NET Project]][[Category:Stub]] | [[Category:OWASP .NET Project]][[Category:Stub]] | ||
Revision as of 18:37, 15 August 2014
DRAFT DOCUMENT - WORK IN PROGRESS
Description
In short, CSRF abuses the trust relationship between browser and server. This means that anything that a server uses in order to establish trust with a browser (most often cookies, but also HTTP or even Windows Authentication) is exactly what allows CSRF to take place - but this only the first piece for a successful CSRF attack.
The second piece is a web form or request which contains parameters predictable enough that an attacker could craft his own malicious form/request which, in turn, would be successfully accepted by the target service. Then, usually through social engineering or XSS, the victim would trigger that malicious form/request submission while authenticated to the legitimate service. This is where the browser/server trust is exploited.
In order to prevent CSRF in ASP.NET, anti-forgery tokens (also known as request verification tokens) must be utilized.
These tokens are simply randomly-generated values included in any form/request that warrants protection. Note that this value should be unique for every actual form/request, not just for every type of form/request. This guarantees that every form/request is unique and, therefore, protected from CSRF.
Mitigation Examples
Coming soon...
Related Attacks
CSRF (Attack)[1]
CSRF (Full Wikipedia Article)[2]
XSS (Attack)[3]
Related Vulnerabilities
XSS[4]
Insecure Randomness[5]
Insecure Third-Party Domain Access[6]
Non-Cryptographic Pseudo-Random Number Generator[7]
Related Controls
.NET CSRF Guard[8]
Related Technical Impacts
Accountability[9]
Confidentiality[10]
References
CSRF Prevention (official ASP.NET blog)[11]
Relevant Stack Overflow question[12]
