Skip to main content

CSFR attacks, ASP.NET MVC 4

CSRF stands for Cross Site Request Forgery and is a technique employed to fooling a website by executing commands on behalf of a trusted (authenticated) user.

How it works
Commonly a malicious user sends a link to another user that maybe is authenticated on the target site and uses their session to execute commands like transfer money, change the email address and stuff like that.

CSRF in action
This time I’ll be working on a web site that allows authenticated users buy pastries at the online store. In this case, the goal of the attacker is to get a bunch of muffins on somebody else’s Mastercard.

The target site has a couple of web pages that allow users to logon, buy products and see their orders history:

Before going on, something to worth to mention is that after a user is successfully authenticated to a  website, the web browser will be sending the authentication cookie on every subsequent request to the server until the session expire (usually after 20 minutes of inactivity). This means that any incoming request from that session won’t be challenged for authentication (The user will not be redirected to the login page) even if they were accessing to secure resources.

By using a web debugging tool like Fiddler we can inspect the HTTP traffic, view the HTTP headers and understand how it works.

On login:

On every subsequent request after a successful login:

* ASPXAUTH is the ASP.NET authentication cookie.

If an attacker can see the source code of the target page, he can easily compose and submit a form to perform a CSRF attack.

The bad guy at work
Doing a little of social engineering, the bad guy figures it out that the target site is very busy on Friday morning where everybody is buying pastries for the office (which is a common thing to do in my country), so he assumes that by sending emails with links to the website’s hottest offers to a bunch of people, eventually a couple of them will be customers and maybe be interested on those offers, so they will be clicking on those links and if one of them still have the session's cookie alive, he will become a victim of the attack.

How to compose and submit the form
The first step is take a look at the target page source code

Now that we know the form structure, we can build a script like this:

By using this script we are posting an order at the online store using the good guy's session that will be delivered to the bad guy's address (Also note that the form won't be displayed at all).

Wanna try it yourself?
Follow these steps:
  1. Download the sample app from here
  2. Build and run the website
  3. Register/Login
  4. Place an order
  5. View your orders history
So far, you just have used the site. Now click on this link (this is the link that the bad guy will be sending by email)  and you will see what happen. You should see a page with the message "The offer has expired, blah, blah, blah..." and then will be redirected to our website’s main page).

Now go to see your orders history and you will see what really happened ;)

If all went as planned, you should be seeing an order that you haven't posted, where the delivery address point to the bad guy's address, if this were a real site, this would have been aCSRF attack; you will be paying the bills and the bad guy will be getting stuff.

In future posts I’ll be covering some alternatives that ASP.NET provides to prevent this kind of attacks.

Note: this technique does not apply only to ASP.NET, CSRF attacks can be performed against other web technology such as Ruby on Rails or PHP.


  1. Your blog is pretty good and has some good articles which I like it especially about design.
    PHP MVC Development | Web Design Company Malaysia


Post a Comment

Popular posts from this blog

How to create MS Word documents from Office templates using C#

The OpenXML SDK allows you to do pretty much anything you want with office files such as Excel, Word, etc… While many people like this library, I found it complex, unintuitive and poorly documented, not to mention the awful xml format that uses under the hood to represent the documents, styles, etc. So I decided not to use it and build my own solution. If you, like me, don’t like that library, you will find in this post an alternative approach to build word documents from templates using c#.
A neat trick to work with Office is to use the macro recorder to understand how things work. The macro recorder allows you to start a macro, do something by hand, stop it, and then take a look at the generated VBA code. Once you do this, you are pretty much set.
This is how it looks the template I’am going to use.

Note: save the file as a Word template (.dotx)
This is the code to create Word documents from C#:

By running the code, you should get a document that looks like this.

Note that the font, forma…

Printing html using the embedded web browser control

In this post I’ll try to answer some questions about the web browser control and provide some workarounds for known issues involved in the printing process.
I'm assuming that you have some experience with the web browser control and basic knowledge of COM and hosting APIs. So I’m not going to cover those topics.
At the bottom of this page I’ve added the links to download a small library I wrote that takes care of printing HTML and a demo app so you can try it out without having to write any code by yourself.
Using the code The HtmlPrinter class will allow you to print html from an URL or just passing the html as string, you can also specify the title and the number of copies you want to print. The code may look something like this: Now that we know how to use the API let get answer some questions.
Why my app crashes when I try to print multiple copies of a page? Well, apparently when you send a lot of print commands to the web browser control, there is a lot of COM crap in between that l…

WinForms, paging the DataGridView the right way

I know this may sound like old history, but in the enterprise world there is still a lot of WinForms development. Just a couple of days ago, I had to implement a custom DataGridView capable to work over a butt load of data (100K+ records) and keep responses times acceptables.
I thought paging will be a good way to go, and as WinForms is pretty old nowadays, I supposed it will be easy to find a couple examples on the web.
While in fact I found examples, all of them were incompletes and/or they wouldn't perform well in real world apps... So I decided to roll my own component and post it online. Hopefully, someone else will find it useful ;).

The bread and butter of this solution relies on LINQ and deferred execution. As LINQ takes care of all complicated work, it was quite easy to implement.
This component also supports conditional format, sorting and some search capabilities, but in this post I will concentrate on paging only (I'll cover the rest of the features in future posts)…