Cross-Site Request Forger Token

Cross-Site Request Forger Token

  
Hi,

as anyone implemented any kind of CSRF Token synchronization in Outsystens our was able to use .net ViewStateUserKey.

Does anyone know is outsystems as any kind of Cross-Site Request Forgery protection?



Best Regards
Hi Antonio,

Maybe you can find a better solution, but here's one that works:
- Use GenerateGuid to create a token on session start, and assign it to a session variable;
- Add an hidden field to a common web block with the value of the session variable;
- Validate the hidden field against the session variable in OnBeginWebRequest. To avoid having different logic for the first session page (and make the code slightly more efficient), I run the validation only for POST requests.

Like this, a successful attack would have to guess the GUID generated for the current session of the victim, which seems extremely unlikely.

I hope this helps.

Joao
Update:

GenerateGUID is not a secure random number generator.
Use CryptoAPI.GenerateAESKey instead, with at least 128 bits.


You can copy/paste from the attachment to jump start your own implementation.

@Joao:
I've checked your version and extended it to create a working version out-of-the-box.
I've also replaced the GenerateUID with the CryptoAPI.GenerateAESKey(256).