ViewStateUserKey not entirely effective against CSRF

By
Jason Axley
on June 7, 2008 8:45 PM digg this!| | Comments (0) | TrackBacks (0)

Oh, how timely! Just a few days ago, a blog post about the limitations of ViewStateUserKey as a means to prevent CSRF in ASP.Net applications. The bottom line:

  1. developers can disable ViewState entirely, so it lacks central control (kind of like ripping out your firewalls and hoping everyone has an up-to-date and securely configured desktop firewall instead)
  2. There are some issues with the mechanism working over load-balanced connections or across IIS app pools where session IDs are likely not shared.
  3. Most importantly, the ViewState MAC is only checked on POSTback, so if you have apps that don't use POSTbacks, you are still vulnerable.
The article also suggests that a CSRF Guard for .Net is needed. Well, they are in luck because it is: https://www.owasp.org/index.php/.Net_CSRF_Guard

ViewStateUserKey Doesn’t Prevent Cross-Site Request Forgery - KeepItLocked.net

0 TrackBacks

Listed below are links to blogs that reference this entry: ViewStateUserKey not entirely effective against CSRF.

TrackBack URL for this entry: http://juxtaposition.axley.net/blog-bin/mt-tb.cgi/2130

Leave a comment

March 2011

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

«« December 2010

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Archives

Contact: Jason Axley

Search Amazon:

Amazon Logo

Search


Categories

Tag Cloud

Recent Posts

Powered by Movable Type 4.1
Subscribe to this blog's feed
[What is this?]