c# - Failing validation of Anti Forgery Token in Asp.net webform application -


i working on asp.net webforms application. trying implement anti forgery token functionality in application.

i have test case application called script in different file (csrf issue) using xhr. solution have implemented works until change value of viewstate in script.

following whole scenario.

look @ "\r\n" blah blah blah... ; in below script.

external script (csrf attack script):

    var xhr = new xmlhttprequest();     xhr.open("post", "myappdomain", true);     xhr.setrequestheader("accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");     xhr.setrequestheader("accept-language", "en-us,en;q=0.5");     xhr.setrequestheader("content-type", "multipart\/form-data; boundary=---------------------------12421522427704");     xhr.withcredentials = true;     var body = "-----------------------------12421522427704\r\n" +       "content-disposition: form-data; name=\"element\"\r\n" +       "\r\n" +       "search here...\r\n" +       "-----------------------------12421522427704\r\n" +       "content-disposition: form-data; name=\"ddlrecordperpage_value\"\r\n" +       "\r\n" +       "-----------------------------12421522427704\r\n" +       "content-disposition: form-data; name=\"__eventargument\"\r\n" +       "\r\n" +       "btneditprofilesave|event|click\r\n" +       "-----------------------------12421522427704\r\n" +       "content-disposition: form-data; name=\"__viewstate\"\r\n" +       "\r\n" +       "\r\n" blah blah blah... ;     var abody = new uint8array(body.length);     (var = 0; < abody.length; i++)         abody[i] = body.charcodeat(i);     xhr.send(new blob([abody]));

my solution in application:

if not page.ispostback     viewstate("antiforgerytoken") = "" else     dim outstring string = if(not string.isnullorempty(convert.tostring(viewstate("antiforgerytoken"))), convert.tostring(viewstate("antiforgerytoken")), "")     if string.isnullorempty(outstring) andalso outstring = "initialize"         throw new exception("unknown request source.")         ext.net.x.redirect(apppath() & "/login.aspx", "invalid request scope.")     end if     antiforgerychecker.check(me.page, outstring)     viewstate("antiforgerytoken") = outstring end if

code block explanation:

when 1 of page loads, setting encrypted guid in viewstate in session. after it, when user makes server call, compare value of viewstate , session. if decrypted value of viewstate not match decrypted value of session, indicates method being called outside of application.

above solution works perfectly.

but when change value of viewstate following:

"**test**\r\n" blah blah blah... ;

my code fails validate because goes if not page.ispostback then part , sets blank viewstate value. occurs adding "test" in script. asp.net experience may know issue here. please explain exact issue , solution case...

regards

so have found solution.

  1. what here can check control caused postback.

  2. now here when reload page return me nothing when injected script causes postback returns me control caused postback (here in case returns scriptmanager).

  3. based on control can differentiate actual post event , further code accordingly.

please let me know if solution valid or can cause issue in future. found solution this post.

solution:

protected overrides sub onload(byval e eventargs)     try         dim controlpostback control = getcontrolthatcausedpostback(me)         if not page.ispostback             if controlpostback nothing                 viewstate("antiforgerytoken") = ""             end if         end if          dim outstring string = convert.tostring(viewstate("antiforgerytoken"))         antiforgerychecker.check(me.page, outstring, controlpostback)         viewstate("antiforgerytoken") = outstring      catch ex exception         handled()     end try end sub   private function getcontrolthatcausedpostback(page page) control     dim ctrl control = nothing     dim ctrlname string = page.request.params.[get]("__eventtarget")     if not [string].isnullorempty(ctrlname)         ctrl = page.findcontrol(ctrlname)     end if     return ctrl end function

Comments

Post a Comment

Popular posts from this blog

networking - Vagrant-provisioned VirtualBox VM is not reachable from Ubuntu host -

this question exact duplicate of: puphpet/vagrant: unable access lamp vm ip address 1 answer i following basic vagrant tutorial , vagrant provisions box on ubuntu without complaining. moreover, can vagrant ssh vm. however, vm not reachable host: it's not possible ping it's ip address. what have achieved: installed virtualbox (5.1.24 r117012 (qt5.5.1)) , vagrant (1.9.7) onto ubuntu (16.04.2 lts) machine. provisioned vm vagrant up , vagrant finishes job , not complain. vagrant ssh works. i have manually installed lighttpd on guest vm , can ping/curl address: localhost within guest vm. this when trying reach guest vm host: ~/tmp/myfirstvagrantproject$ ping 172.22.22.22 ping 172.22.22.22 (172.22.22.22) 56(84) bytes of data. ... icmp_seq=4 destination net unreachable ... 171 packets transmitted, 0 received, +21 errors, 100% packet loss, time 173
Read more

c# - ASP.NET Core - There is already an object named 'AspNetRoles' in the database -

i'm receiving error applicationdbcontext database when trying update entity framework. i've googled, tried fixes here on so, no avail. i'm deleting database each time make change, once deploy, not option. here's error: pm> update-database -context applicationdbcontext system.data.sqlclient.sqlexception: there object named 'aspnetroles' in database. @ system.data.sqlclient.sqlconnection.onerror(sqlexception exception, boolean breakconnection, action 1 wrapcloseinaction) @ system.data.sqlclient.tdsparser.throwexceptionandwarning(tdsparserstateobject stateobj, boolean callerhasconnectionlock, boolean asyncclose) @ system.data.sqlclient.tdsparser.tryrun(runbehavior runbehavior, sqlcommand cmdhandler, sqldatareader datastream, bulkcopysimpleresultset bulkcopyhandler, tdsparserstateobject stateobj, boolean& dataready) @ system.data.sqlclient.sqlcommand.runexecutenonquerytds(string methodname, boolean async, int32 timeout, boolean
Read more

ruby on rails - ArgumentError: Missing host to link to! Please provide the :host parameter, set default_url_options[:host], or set :only_path to true -

i have built module in solidus , ruby on rails , try create tests. i trying create integration tests , have error: e error: prescriptionphotostest#test_/prescription_photos_post_endpoint_throws_an_error_when_wrong_params: argumenterror: missing host link to! please provide :host parameter, set default_url_options[:host], or set :only_path true test/integration/prescription_photos_test.rb:6:in `block in ' i read this , this , doesn't make difference. my code returning error on line: @user = factorygirl.create(:user) here code files. prescription_photos_rest.rb require 'test_helper' class prescriptionphotostest < actiondispatch::integrationtest setup spree::auth::config[:confirmable] = false @user = factorygirl.create(:user) end def authenticated_header token = knock::authtoken.new(payload: { sub: @user.id }).token { 'authorization': "bearer #{token}" } end test '/prescription_p
Read more