Geek Answers Handbook

Creating AntiForgeryToken through dependency injection

I am working on improving the security of my website and wanted to create a token to prevent fake attempts that could be easily saved. This is what I came up with.

public class AntiForgeryToken { private readonly string _referenceToken; public AntiForgeryToken() { _referenceToken = Guid.NewGuid().ToString(); } public string ReferenceToken { get { return _referenceToken; } } }

In my base class for my MasterPage, I have a HiddenField wrapped in a property with the name: ReferenceToken

 protected virtual void Page_Load(object sender, EventArgs e) { if (!Page.IsPostBack) { InjectToken(); } ValidateToken(); } private void InjectToken() { var token = ObjectFactory.GetInstance<AntiForgeryToken>(); ReferenceToken = token.ReferenceToken; } private void ValidateToken() { var token = ObjectFactory.GetInstance<AntiForgeryToken>(); if (ReferenceToken.Equals(token.ReferenceToken, SC.InvariantCultureIgnoreCase)) return; ...do stuff for failed token }

I have a StructureMap mechanism that stores the token inside the session, so it is stored in the user session, will all this be a correct implementation of the AntiForgery scheme?

Edit: There seems to be some confusion in my question, yes, I understand that ASP.NET MVC has a built-in AntiForgeryToken scheme, this question is clearly about how to recreate this for WebForms to prevent the use of CSRF (Cross-Site Request Forgery) attack . I understand that this in no way eliminates the need to properly resolve user rights.

I was about to pick up the very link that @Neal and @solairaja sent: Preventing Sub-Counterfeiting (CSRF) using the ASP.NET MVC AntiForgeryToken () Helper . This article explains what a CSRF attack is and how MVC stops it, but its solution does not apply to web forms, so I started implementing my own.

After looking at the answer from @Neal, I think that most likely it will be an accepted answer, since I did not understand that I can just get the actual source code from the MVC tool, which is likely to replace the creation of guid. But I will leave the question open if anyone else has valuable information to add.

+6
c # dependency-injection webforms antiforgerytoken
source share
8 answers

Chris

your approach more or less imitates the anti-fake approach in MVC, except that it uses a base64 encoded byte array created from RNGCryptoServiceProvider and stores the token both on the page (hidden form field) and in the cookie. I would recommend moving more logic into the token implementation (for example, encapsulating most of the validation logic inside the token).

The code for implementing MVC is freely available at http://aspnet.codeplex.com/sourcecontrol/changeset/view/23011?projectName=aspnet#391757 , if possible you should probably consider this as well as the http: // blog. codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/ for analysis + ideas.

+4
source share

ASP.NET web forms prohibit the use of CSRF attacks from the default window if you use view mode. If you have not turned off the status display in your application, you add code to solve a problem that you do not have.

View state prevents CSRF attacks
.NET CSRF Guard - OWASP

+2
source share

First, I have to ask ... what do you really mean by "AntiForgery"? What bothers you that you are faked? The rest of the following follows only some general information that appears in memory ...

One thing I would change is not to use Guid.NewGuid. There is debate about whether this is random or not, and therefore not suitable for security purposes. However, I think it would be very difficult to attack.

Look at the RNGCryptoServiceProvider for the GetBytes method for something that should be better for creating a random token. In addition to the best chance, another advantage of this is that you can make it no matter what size you want.

Do you do this via ssl? First, ssl is the number one line of defense for a person in medium attacks. It may not be safe enough (and others may discuss it) for every need, but if you are concerned about such things, this is the starting point, if nothing else. If not, how do you guarantee that you will receive a response from the right machine, not the person in the middle who answers first? Without SSL or equivalent, your token is just as easily stolen as anything you do.

Another thing to consider when adding is that your tokens can only be good for one trip, and you are creating a new one for the client on the next trip. The reuse attempt does not work.

I would not try to replace SSL with something else of my own trick, if that is what you are thinking about. If you are worried about replaying, a one-time marker is one way to stop it. If you are worried that the user submits the same form data twice, this is one thing. I would also consider your overall application design if this bothers you. Many repetition and similar scenarios can be defeated by the sound design of your business logic, for example, not trusting the client to send you confidential information, such as the price of the product in the shopping cart.

As a starting point, also check out the various Microsoft ASP.NET and IIS security guides (for example, the Google ASP.NET website or IIS website: microsoft.com). Many smart people have solved many problems already for us.

0
source share

will all this be a valid AntiForgery implementation scheme?

As far as I can tell, it looks like you are inserting a GUID into the page and then looking for the same GUID when the page returns.

I donโ€™t know what your requirements are, so I canโ€™t say whether the circuit is really โ€œvalidโ€. However, I can point out a few things:

  • If the GUID only lives on the page, what prevents the user from reading the page on one machine and submitting the form from another? It would be nice to associate it with a cookie or session (which also uses cookies) if you have not already done so.
  • If the GUID is written to the page as a static hidden field <input> , the form can be read and submitted by bots. You can get around this by requiring the script on the page to process the token before sending it.
  • Are you using ViewState? If so, you can simply set ViewStateUserKey to some duplicate value that is unique to each client; It performs a similar function with what you described here.
0
source share

As NICK said, for me, too, the code you provided looks like you are inserting a GUID into a page, and then looking for the same GUID when the page returns. This is also a good idea when ur uses a structural map stored in a session.

But there are some built-in methods available for this AntiForgery concept.

Please refer to the link below and understand

http://blog.maartenballiauw.be/post/2008/09/01/ASPNET-MVC-preview-5s-AntiForgeryToken-helper-method-and-attribute.aspx

Now,

Check out the link below for a description of the details and approximation methodology.

http://msdn.microsoft.com/en-us/library/system.web.mvc.htmlhelper_methods.aspx

http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-%20aspnet-mvcs-antiforgerytoken-helper/

Thanks!

0
source share

It looks like it generates a canary with every request. Now, what happens if a user opens several tabs? :)

The problem with your approach (and ASP.NET MVC implementation) is that developers rely on its implementation. Such protection should be denied, not included. When I wrote the AntiCSRF module , I ended up using the ASP.NET page life cycle, which means there is no change in the base code, if only the developer wanted to select the page from the CSRF checks. You will notice that it uses one token, which lasts for the entire duration of the user's browser session - there is no real need to change the token with each request.

Now I wrote the module mainly as a way to illustrate some concepts of my future book (insert an advertisement here, grin), you could, of course, use ViewStateUserKey , but again this is a failure, not a failure.

0
source share

Safety First Rule: Do Not Try to Collapse Your Own Security

As I understand your description, this will not be a valid anti-fake scheme. All attackers will have to get around this in order to use the View Source function of their browser to find the token. Then he or she can publish whatever they want until they remember to put this token and your code will not know the difference.

Sorry if I completely misunderstood your description ...

-one
source share

Instead of using fake tokens like this, I would confirm that the authenticated user really has the necessary rights to make the required changes.

eg. this is the create user page web page, I would verify that the authenticated user has permission to create new users. Whether the page is โ€œedit user page Xโ€, I would check that the authenticated user has permission to modify user X. Perhaps because he himself is user X or an administrative user.

However, using a GUID is not very secure. Guides are created based on an algorithm written for uniqueness, not for chance. AFAIK, there are three valid name-based, time-based, and random algorithms. If the Guid algorithm used by the system (which may be modified by a future version of .NET) is time-based, then guessing the valid Guides is not very difficult.

-one
source share

More articles:


All Articles