Reputation: 413
csrf token ,security issue?
Can you please help me to resolve CSRF issue found during using asp.net 2.0.
Issue description :
[1 of 3] Cross-Site Request Forgery Severity: Medium Test Type: Application Vulnerable URL: https://somesite/somepage.aspx Remediation Tasks: Decline malicious requests
Reasoning: The same request was sent twice in different sessions and the same response was received. This shows that none of the parameters are dynamic (session identifiers are sent only in cookies) and therefore that the application is vulnerable to this issue.
Upvotes: 1
Views: 1700
Answers (1)
Reputation: 16757
I would suggest reading up on CSRF in order to identify what you want to protect and why. Basically, the issue with CSRF is that an attacker can impersonate you and get back your data. You change this by passing in session information in the request, not just from the cookie. This makes your session secure from this type of attack. Here is a better explanation than I can give:
http://palisade.plynt.com/issues/2008Jun/cross-site-request-forgery/
Here is a two-part article on security issues (including CSRF) and how to address them:
http://palisade.plynt.com/issues/2009Dec/secure-coding-aspdotnet/
http://palisade.plynt.com/issues/2010Apr/secure-coding-aspdotnet-p2/
There is also a CodePlex project called AntiCSRF that makes it easy to fix these types of problems (although it hasn't been updated in a while):
Upvotes: 1
Related Questions
- Implementing AntiForgery Token on ASP.NET 4.6 WebForms
- ValidateAntiForgeryToken in WebForms Application
- asp.net webforms how to validate CSRF Token
- CSRF token and XSS vulnerability
- Impersonate Windows User with AntiForgery Tokens
- Do I need CSRF tokens for WinForms?
- how to use csrf token asp c#?
- Preventing CSRF by generating a nonce token?
- CSRF defense approach
- CSRF Validation Token: session id safe?