Cross Site Request Forgery (CSRF) is an attack that tricks the victim into taking some action on the vulnerable application without the victim's knowledge. CSRF attack can be carried out in different ways. Which of the following aspects in an ASP.NET application would not help mitigate the risk of CSRF attacks?
- Use of ViewStateUserKey
- Use of CSRFGuard httpModule
- Secure against XSS attacks
- Setting the HttpOnly attribute of the session cookie
The correct answer is d. Setting the HttpOnly attribute of the session cookie.
In ASP.NET, ViewState is a mechanism that maintains the value of web controls between requests. This ViewState is encoded and stored as a hidden field. ViewState MAC uses a separate Message Authentication Code to verify that the ViewState in the request has not been tampered. ViewStateUserKey, which is used in ViewState MAC calculation, locks ViewState to a particular value associated with a user or session. If that value changes between post-backs, the ViewState MAC calculation will fail and the page will cause an error. Although ViewStateUserKey helps mitigate the risk of a CSRF attack, it does not offer complete protection. Read this article on ViewStateUserKey Doesn't Prevent CSRF .
The CSRFGuard httpModule uses the AcquireRequestState event and invokes the CSRFGuard object to validate the request parameters and session cookies. It checks whether the CSRFGuard Session Token matches the one stored in the user's ASP.Net session. If there is no token available in the request or if the match fails, the module determines that there is a CSRF attack in the request. When the CSRF attack is detected, the module can be configured to kill the session or redirect to a generic error page. Refer to this OWASP article to read more about .NET CSRFGuard .
Any application with XSS flaws is susceptible to CSRF because a CSRF attack can exploit the XSS flaw to steal any non-automatically submitted credential that might be in place to protect against a CSRF attack. Many application worms have used both techniques in combination. So when building defenses against CSRF attacks, it is important to focus on eliminating XSS vulnerabilities in the application since such flaws can be used to get around most CSRF defenses put in place. Although fixing all XSS vulnerabilities in the application is important to defend against CSRF attacks, XSS flaws are not required for a CSRF attack to work.
When the HttpOnly attribute is set to true, then it cannot be accessed by a client-side script. This can help mitigate cross-site scripting threats that result in stolen cookies that may contain sensitive information identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the user or obtain sensitive information. Although this attribute does help mitigate the risk of XSS attacks, it has no impact towards a CSRF attack.