ridercz / csrfence Goto Github PK
View Code? Open in Web Editor NEWCSRF protection library for ASP.NET WebForms
License: MIT License
CSRF protection library for ASP.NET WebForms
License: MIT License
Hi,
I was looking for a csrf prevention module and I found your library using nuget. Thanks for taking the time for making such important httpmodule available through nuget.
I'm looking through your code to get a better understanding how things work. I was wondering why you are using MachineKey.Protect()
and Unprotect to encrypt the cookie's token. Why bother to protect the hidden field? Can't we just use the token that is used in the cookie in the hidden field? I'm trying to understand the added value encrypting the hiddenfield value.
Thanks!
We would like to see the configuration object to be extended to allow for configuring the Same-Site cookie flag
To be compatible with older .NET versions, this would most likely need to be done via string manipulation since the .NET API will not support the SameSite property
I'm working on getting a .NET web app of mine compliant with a security standard and I installed CSRFence to address a CSRF vulnerablity our penetration test vendor found. The vendor said CSRFence has helped but there is still an issue. They're now saying:
"once a valid anti-CSRF token is generated for a particular account, it can also be used for any other account as well. The back-end should perform the following additional checks:
- Back-end code should not allow an anti-CSRF token created for a particular account, to be used for another account. Otherwise an attacker can create a token for his own account and use it in a CSRF attack targeting another user. (Mandatory)
- Ideally, the system should invalidate the anti-CSRF token as soon as it is posted to the server. Multiple uses should be disallowed. (Optional)"
Is there a built-in way to configure/use CSRFence to do what they're asking or should I build this functionality into my web app?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.