Geek Answers Handbook

How do you write unit test to test an ASP.NET web form application for CSRF?

We have an ASP.NET web form application that is probably vulnerable to attack against fake requests (CSRF). How do we start writing a unit test that alerts us to this? Using NUnit. Some tips or pointers would be great.

+4
source share
2 answers

You need to understand how CSRF is done. Get into a hacky way of thinking. Then you need to create automated tests that run CSRF. It will probably not be a unit test, which is more like an integration test. When you succeed in performing a CSRF attack - when your tests are red - you can fix this problem.

See the CSRF FAQ for more information on how to perform an attack. And here's a good wiki article on Testing for CSRF you should check out.

0
source

CSRF is an attack when a user is tricked (for example, by a link in an email) to perform an action with the name of the attacker, being already authenticated on your website.

There are several ways to reduce the risk you should check -

  • GET requests should not have any side effects - all actions should only be performed using POST requests. It is more difficult for an attacker to generate a POST request coming from a user.
  • You want a random unique line for each page to be sent to the user and checked when returning to the server. The cookie user will be sent in the request caused by the attacker, but the attacker will not know the line stored in the form. In .NET, I think you can use Viewstate for this.
  • For particularly sensitive (or susceptible to attacks) actions or after a period of inactivity, you can request re-authentication by the user.

OWASP (related to Torbjรธrn) is a really great resource and contains much more detailed explanations and tips.

+1
source

More articles:


All Articles