AntiCSRF A Cross Site Request Forgery (CSRF) module for ASP.NET
Download

AntiCSRF Ranking & Summary

AntiCSRF Tags

protect ASP.NET ASP.NET module cross-site information CSRF Module Cross Site Request Forgery Class Attribute CSRF Compile ASP.NET Site cross-site request site request cross site query cross-domain request cross-site scripting

AntiCSRF Description

AntiCSRF was designed to be a cross site request forgery (CSRF) module for ASP.NET. AntiCSRF makes it easier for ASP.NET developers to guard themselves against Cross Site Request Forgery. You'll no longer have to manually add and check protection tokens to protected yourself against CSRF attacks. The normal recommended way of adding a CSRF token to an ASP.NET application is to use ViewState in combination with a ViewStateUserKey. This requires ViewState to be enabled and an application to have some way of identifying a user uniquely, usually via a SessionID which in turn requires session state to be enabled. AntiCSRF does not have these requirements; instead if requires cookies to be enabled on the user's browser and uses a temporary cookie, cleared when the browser is closed, to identify a user and a hidden form field to carry the CSRF token. The ViewStateUserKey approach protects against One-Click Attacks. One-Click Attack is sometimes incorrectly referred to as Microsoft's name for Cross-Site Request Forgery. However, this is not entirely correct. One-Click Attacks refer to a subset of CSRF attacks - one that use a malicious ViewState to perform the request. Because web forms developed with ASP.NET use ViewState for post-backs, an attacker can perform the post-back they want the user to perform unknowingly, and record the ViewState. Due to the way that ASP.NET ignores HTTP verbs when using Request.Params versus Request.Form, and in web controls, this request can often be made via GET.

AntiCSRF Related Software