Blocking CSRF in .NET
Cross Site Request Forgery (CSRF or XSRF) is number 5 on the OWASP Top 10 and the “silent killer” of web app vulnerabilities. The best way to handle this problem is use a “token” system that is unique to every user. If the server side receives a request that does not contain the correct token, then the request is not processed.
In .NET, the ViewState provides this functionality…or does it? The ViewState by itself does provide some protection. The ViewState is a hash value use to store state information between PostBacks. This ViewState can be altered and recorded, so it’s not completely safe. To increase the safety, you can use the ViewStateUserKey property to encrypt the ViewState to the session ID of the current user. That reduces the exposure to recorded attacks.
But what if the ViewState is passed as a GET variable? If it’s not a PostBack, then the ViewState will not be checked. There’s that false sense of security again.
Setting the ViewStateKey is a good step, but to completely block CSRF, you will still need to use a token system with good resistance to brute force.