Prevent CSRF (Cross Site Request Forgery) Attacks in SharePoint Application Pages.

Cross-Site Request Forgery (CSRF) is an attack outlined in the OWASP Top 10 whereby a malicious website will send a request to a web application that a user is already authenticated against from a different website.  Much detailed & better explanation is here

To prevent CSRF attacks in SharePoint application pages, which POST’s (http) data to the server, use SharePoint FormDigest Control. This FormDigest Control inserts a generated digest (token) into the form page, when it is requested (usually through GET )& in the code behind we can validate this token using SPUtility.ValidateFormDigest()to make sure that the form/page is not tampered with.  Its a good practice to validate the FormDigest in the code behind, which writes data to the DB/Server/SP list,..ideally any write operation that uses  RunWithElevatedPrivileges . Two steps:

1. Initialize FormDigest control in the custom application page.

 <SharePoint:FormDigest runat="server"/>

2. Check for

SPUtility.ValidateFormDigest()

in the code behind POST methods of application pages to make sure that the form is not tampered with.

Advertisements
Posted in C#, Sharepoint 2010
3 comments on “Prevent CSRF (Cross Site Request Forgery) Attacks in SharePoint Application Pages.
  1. Venkata says:

    Hi , thanks for the solution. A quick question. Does replace captcha implementaion. Do I need to still implement Captcha?

    Like

    • acveer says:

      The purpose of Captcha is different, so it has to be implemented for that purpose. Some Applications even preserve for a long time what users has entered for captcha.
      Preventing CSRF attacks does not replace captcha.

      Like

  2. […] To keep this short(er) I have cut out the RunWithElevatedPrivileges bits and such, you actually might not need to have that depending on your user permissions, but if you leave it in then I suggest reading this. […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: