开发者

ViewStateUserKey isn't preventing CSRF?

I suspect this is due to my test configuration, but I wanted to ask you folks for your thoughts. I was playing around with a quick test project. I had a simple forms auth page and an order page (two fields and a list to show "orders"). The order page was set to use Request.Form[] when retrieving parameters to prevent input from coming in as a GET operation.

I set ViewStateUserKey in Page_Init and explicitly set EnableViewStateMac to true (even though it defaults to that).

Then I made a .HTM that did a form post to my order page that sets values for the two fields (product and quantity). I should note, I didn't bother crafting a viewstate as part of the form submit. I did View Source on the real page in my browser, cut out everything but the form fields, added some javascript to set the field values and do the form.submit()

开发者_开发知识库

I logged in to the test project, and opened the .HTM. The .HTM successfully submitted the form and when I refreshed the order page, I could see the bogus order.

Why didn't ViewStateUserKey protect against this? Isn't it supposed to block that very type of attack? In this example, I did not tamper with viewstate, I simply made a page that did a normal form post, so is ViewStateUserKey ONLY there to protect against ViewState tampering (which strikes me as utterly worthless, or is this working because both pages are living on the same physical machine?


Did you include the original viewstate field in the test page? If you copied a valid viewstate for a particular user, and then submitted it as that user, then yes, you would expect it to just work.

The ViewStateUserKey feature only prevents you from taking a ViewState created from your own user and using it in a submission made inadvertently by another user.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜