Cross-Site Request Forger Token

Cross-Site Request Forger Token

  
Hi,

as anyone implemented any kind of CSRF Token synchronization in Outsystens our was able to use .net ViewStateUserKey.

Does anyone know is outsystems as any kind of Cross-Site Request Forgery protection?



Best Regards
Hi Antonio,

Maybe you can find a better solution, but here's one that works:
- Use GenerateGuid to create a token on session start, and assign it to a session variable;
- Add an hidden field to a common web block with the value of the session variable;
- Validate the hidden field against the session variable in OnBeginWebRequest. To avoid having different logic for the first session page (and make the code slightly more efficient), I run the validation only for POST requests.

Like this, a successful attack would have to guess the GUID generated for the current session of the victim, which seems extremely unlikely.

I hope this helps.

Joao
Update:

GenerateGUID is not a secure random number generator.
Use CryptoAPI.GenerateAESKey instead, with at least 128 bits.


You can copy/paste from the attachment to jump start your own implementation.

@Joao:
I've checked your version and extended it to create a working version out-of-the-box.
I've also replaced the GenerateUID with the CryptoAPI.GenerateAESKey(256).

Hi João,

I know the thread is old but wanted to clear this up. :)

Is it correct to say that this workaround is no longer required for the latest OutSystems release, as indicated here?

I'm interested too...

Waiting for response...

This is something that Outsystems should have done by default.

Also how about SSL pinning, do we still have to use Forge component or have been included now inside Outsystems?