Hack Proof Your Asp.Net Application Part 3 (Cross Site Request Forgery)
Introduction:
This is part -3 of my series Secure your Asp.Net Applications. In this article, I will describe what exactly Cross Site Request Forgery (CSRF) is and how hacker exploit it and how we can prevent from CSRF attack.
Background:
You can read my previous article of this series from :
- Hack proof your asp.net applications from SQL Injection
- Hack proof your asp.net applications from XSS Attack
Cross Site Scripting:
cross site request forgery is also known as one click attack, sea surf and session riding and abbreviated as CSRF. CSRF attack is kind of secuirty exploit attack in which attacker uses the authentication of the victim on victim's browser.
Cross-Site Request Forgery (CSRF) is an attack where a malicious site sends a request to a vulnerable site where the user is currently logged in . (Definition from - Asp.Net) .
What can this attack do:
- It can perform Actions/Proxy Requests for attacker from Victim's browsers
How is it exploited :
- Image link/ any link in email , on any website or on any blog .
- CSRF can be done using Cross Site Scripting.
- Malicious website can perform action using your authentication.
1. Image link/Any link in email or in any website :
- A user logs into website www.examplewebsite.com , using forms authentication.
- server authenticates user and response from the server includes authentication cookie.
- Without logging out , User visited a malicious website .that malicious website may contain malicious image link , post action to site user is logged in , malicious script or ajax call which will be totally hidden from visitor .This is the "cross site" part of CSRF attack.
- User will click the image or any button (filling forms and clicking submit) then browser will happily send the authentication cookie for the request because post request is like (www.examplewebsite.com/account/delete) .
- Request will run on server with the user's authentication and can perform any action , user is allowed to do.
This attack is tough to caught , and become more worse when attacker do the post from AJAX , Victim will even don't have to perform any action .This attack can breach even SSL because malicious user can send HTTPS request too like "https://examplewebsite.com/account/delete" .
2. XSS can also be used to do CSRF attack :
To learn XSS and prevention from it please see my last article of this series.
- If any website contains comment section ,malicious user can inject script to comment section.
- When an authenticated admin will logs in and visited that page where malicious user injected the script that will execute and as a result action will be performed according to the script .
as a result of above script user which having id four will get deleted .
How To Prevent CSRF :
For All Websites:
- Make ensure your get requests only used to retrieve data/resource .
- Never perform action on get requests .HTTP specifications also depicts that ,one should not perform and action on get requests . (www.examplewebsite.com/account/delete/id=4)
- POSTS/PUT/DELETE can also be forged ,to prevent those make requests unique and non-repeatable.
For Asp.Net Web Forms:
- ViewStateUserKey = Session.SessionID then viewstate will act as a form token
- Protect SessionID using Hashing and Encryption
- Use SSL to prevent sniffing of SessionID and ViewState
- Either Create a BasePage and add following code in that and check ViewState for forms and inherit all the pages from this base page.
ASP.NET has an option to maintain your ViewState. The ViewState indicates the status of a page when submitted to the server. The status is defined through a hidden field placed on each page with a <form runat="server"> control. Viewstate can be used as a CSRF defense, as it is difficult for an attacker to forge a valid Viewstate. It is not impossible to forge a valid Viewstate since it is feasible that parameter values could be obtained or guessed by the attacker. However, if the current session ID is added to the ViewState, it then makes each Viewstate unique, and thus immune to CSRF.
To use the ViewStateUserKey property within the Viewstate to protect against spoofed post backs. Add the following in the OnInit virtual method of the Page-derived class (This property must be set in the Page.Init event)
protected override OnInit(EventArgs e) {base.OnInit(e);if (User.Identity.IsAuthenticated)ViewStateUserKey = Session.SessionID; }
The following keys the Viewstate to an individual using a unique value of your choice.
(Page.ViewStateUserKey)
This must be applied in Page_Init because the key has to be provided to ASP.NET before Viewstate is loaded. This option has been available since ASP.NET 1.1.[References from OWASP]
For Asp.Net MVC :
- Use AntiForgeryTokens
- Use SSL to prevent sniffing of AntiForgeryTokens
Basically Idea behind this token is Generate a token for forms and validate this token at the server side before performing the action.
To achieve this we will have to create a toke in View of Asp.net MVC and the this token will be verified at the Action of our controller of MVC.
Generate Token on View :
Use @Html.AntiForgeryToken() in your forms to generate token.
Use @Html.AntiForgeryToken() in your forms to generate token.
@using (Html.BeginForm()) { @Html.AntiForgeryToken(); <fieldset> Select a file <input type="file" name="file" /> <input type="submit" value="Upload" /> </fieldset> }
0 comments:
Post a Comment