ridercz / csrfence Goto Github PK

Hi,

I was looking for a csrf prevention module and I found your library using nuget. Thanks for taking the time for making such important httpmodule available through nuget.

I'm looking through your code to get a better understanding how things work. I was wondering why you are using MachineKey.Protect() and Unprotect to encrypt the cookie's token. Why bother to protect the hidden field? Can't we just use the token that is used in the cookie in the hidden field? I'm trying to understand the added value encrypting the hiddenfield value.

Thanks!

We would like to see the configuration object to be extended to allow for configuring the Same-Site cookie flag

To be compatible with older .NET versions, this would most likely need to be done via string manipulation since the .NET API will not support the SameSite property

I'm working on getting a .NET web app of mine compliant with a security standard and I installed CSRFence to address a CSRF vulnerablity our penetration test vendor found. The vendor said CSRFence has helped but there is still an issue. They're now saying:

"once a valid anti-CSRF token is generated for a particular account, it can also be used for any other account as well. The back-end should perform the following additional checks:

1. Back-end code should not allow an anti-CSRF token created for a particular account, to be used for another account. Otherwise an attacker can create a token for his own account and use it in a CSRF attack targeting another user. (Mandatory)
2. Ideally, the system should invalidate the anti-CSRF token as soon as it is posted to the server. Multiple uses should be disallowed. (Optional)"

Is there a built-in way to configure/use CSRFence to do what they're asking or should I build this functionality into my web app?