c# - Failing validation of Anti Forgery Token in Asp.net webform application -


i working on asp.net webforms application. trying implement anti forgery token functionality in application.

i have test case application called script in different file (csrf issue) using xhr. solution have implemented works until change value of viewstate in script.

following whole scenario.

look @ "\r\n" blah blah blah... ; in below script.

external script (csrf attack script):

    var xhr = new xmlhttprequest();     xhr.open("post", "myappdomain", true);     xhr.setrequestheader("accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");     xhr.setrequestheader("accept-language", "en-us,en;q=0.5");     xhr.setrequestheader("content-type", "multipart\/form-data; boundary=---------------------------12421522427704");     xhr.withcredentials = true;     var body = "-----------------------------12421522427704\r\n" +       "content-disposition: form-data; name=\"element\"\r\n" +       "\r\n" +       "search here...\r\n" +       "-----------------------------12421522427704\r\n" +       "content-disposition: form-data; name=\"ddlrecordperpage_value\"\r\n" +       "\r\n" +       "-----------------------------12421522427704\r\n" +       "content-disposition: form-data; name=\"__eventargument\"\r\n" +       "\r\n" +       "btneditprofilesave|event|click\r\n" +       "-----------------------------12421522427704\r\n" +       "content-disposition: form-data; name=\"__viewstate\"\r\n" +       "\r\n" +       "\r\n" blah blah blah... ;     var abody = new uint8array(body.length);     (var = 0; < abody.length; i++)         abody[i] = body.charcodeat(i);     xhr.send(new blob([abody]));

my solution in application:

if not page.ispostback     viewstate("antiforgerytoken") = "" else     dim outstring string = if(not string.isnullorempty(convert.tostring(viewstate("antiforgerytoken"))), convert.tostring(viewstate("antiforgerytoken")), "")     if string.isnullorempty(outstring) andalso outstring = "initialize"         throw new exception("unknown request source.")         ext.net.x.redirect(apppath() & "/login.aspx", "invalid request scope.")     end if     antiforgerychecker.check(me.page, outstring)     viewstate("antiforgerytoken") = outstring end if

code block explanation:

when 1 of page loads, setting encrypted guid in viewstate in session. after it, when user makes server call, compare value of viewstate , session. if decrypted value of viewstate not match decrypted value of session, indicates method being called outside of application.

above solution works perfectly.

but when change value of viewstate following:

"**test**\r\n" blah blah blah... ;

my code fails validate because goes if not page.ispostback then part , sets blank viewstate value. occurs adding "test" in script. asp.net experience may know issue here. please explain exact issue , solution case...

regards

so have found solution.

  1. what here can check control caused postback.

  2. now here when reload page return me nothing when injected script causes postback returns me control caused postback (here in case returns scriptmanager).

  3. based on control can differentiate actual post event , further code accordingly.

please let me know if solution valid or can cause issue in future. found solution this post.

solution:

protected overrides sub onload(byval e eventargs)     try         dim controlpostback control = getcontrolthatcausedpostback(me)         if not page.ispostback             if controlpostback nothing                 viewstate("antiforgerytoken") = ""             end if         end if          dim outstring string = convert.tostring(viewstate("antiforgerytoken"))         antiforgerychecker.check(me.page, outstring, controlpostback)         viewstate("antiforgerytoken") = outstring      catch ex exception         handled()     end try end sub   private function getcontrolthatcausedpostback(page page) control     dim ctrl control = nothing     dim ctrlname string = page.request.params.[get]("__eventtarget")     if not [string].isnullorempty(ctrlname)         ctrl = page.findcontrol(ctrlname)     end if     return ctrl end function

Comments

Post a Comment

Popular posts from this blog

html - How to set bootstrap input responsive width? -

Image
i need inline form calendar in both fields. reason can't rid of space between text , borders of input... here picture of problem i've tried set width parent div , input itself.... no good.. here i've done far. fiddle : <div class="modify_search"> <div class="search_wrapper"> <div class="search_header"> <form class="form-inline"> <div class="left"> <span>du</span> <div class="input-group"> <input type="text" class="form-control search_input" id="inlineforminputgroup"> <div class="input-group-addon"> <i class="fa fa-calendar" aria-hidden="true"></i> </div> </div> </div>
Read more

javascript - Highchart x and y axes data from json -

here js fiddle : demo i plotting differences of timestamps in multiple series reading data json. how plot "timestamp","timestamp2","timestamp3" against "tempersensordata" instead of steps? var processed_json = new array(); //ts1 var processed_json1 = new array(); //ts2 // populate initial series (i = 0; < data.length; i++){ processed_json.push(data[i].timestamp/1000); processed_json1.push(data[i].timestamp2/1000); }
Read more

javascript - Get js console.log as python variable in QWebView pyqt -

Image
i'm trying build application creates html + js code python , loads qwebview. the final html + js code following (raw code available here ): <head><meta charset="utf-8" /><script src="https://cdn.plot.ly/plotly-latest.min.js"></script></head><div id="mydiv" style="height: 100%; width: 100%;" class="plotly-graph-div"></div><script type="text/javascript">window.plotlyenv=window.plotlyenv || {};window.plotlyenv.base_url="https://plot.ly";plotly.newplot("mydiv", [{"type": "scatter", "x": [6.81, 6.78, 6.49, 6.72, 6.88, 7.68, 7.69, 7.38, 6.76, 6.84, 6.91, 6.74, 6.77, 6.73, 6.68, 6.94, 6.72], "y": [1046.67, 1315.0, 1418.0, 997.33, 2972.3, 9700.0, 6726.0, 6002.5, 2096.0, 2470.0, 867.0, 2201.7, 1685.6, 2416.7, 1618.3, 2410.0, 2962.0], "mode": "markers", "ids": [0, 1, 2, 3, 4, 5, 6, 7, 8,
Read more