Prevent CSRF (Cross Site Request Forgery) Attacks in SharePoint Application Pages.

Cross-Site Request Forgery (CSRF) is an attack outlined in the OWASP Top 10 whereby a malicious website will send a request to a web application that a user is already authenticated against from a different website.  Much detailed & better explanation is here

To prevent CSRF attacks in SharePoint application pages, which POST’s (http) data to the server, use SharePoint FormDigest Control. This FormDigest Control inserts a generated digest (token) into the form page, when it is requested (usually through GET )& in the code behind we can validate this token using SPUtility.ValidateFormDigest()to make sure that the form/page is not tampered with.  Its a good practice to validate the FormDigest in the code behind, which writes data to the DB/Server/SP list,..ideally any write operation that uses  RunWithElevatedPrivileges . Two steps:

1. Initialize FormDigest control in the custom application page.

 <SharePoint:FormDigest runat="server"/>

2. Check for

SPUtility.ValidateFormDigest()

in the code behind POST methods of application pages to make sure that the form is not tampered with.

Posted in C#, Sharepoint 2010
3 comments on “Prevent CSRF (Cross Site Request Forgery) Attacks in SharePoint Application Pages.
  1. Venkata says:

    Hi , thanks for the solution. A quick question. Does replace captcha implementaion. Do I need to still implement Captcha?

    Like

    • acveer says:

      The purpose of Captcha is different, so it has to be implemented for that purpose. Some Applications even preserve for a long time what users has entered for captcha.
      Preventing CSRF attacks does not replace captcha.

      Like

  2. […] To keep this short(er) I have cut out the RunWithElevatedPrivileges bits and such, you actually might not need to have that depending on your user permissions, but if you leave it in then I suggest reading this. […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

  • RT @KCTrades_: Powerball over $1 billion 🤯 I bought a bunch of tickets for tonight’s drawing! Everyone who likes & retweets this post will… 4 weeks ago
  • RT @TopTradingEdge: $SPY Market update as Market hit the resistance area $380 neckline of W pattern once that resistance breaks then we cou… 1 month ago
  • RT @TopTradingEdge: NETFLIX $NFLX EARNINGS EPS $3.10 Beats $2.13 Estimate Sales $7.93B Beat $7.84B Estimate https://t.co/dBcayFFFaz 1 month ago
  • RT @TopTradingEdge: $SPY Market update as Market filled the gap left two weeks ago "island gap" I notice more short covering today than reg… 1 month ago
  • RT @TopTradingEdge: $SPY Market update as Market in compression mode until gap to fill at $372 and waiting for earning to start and rake t… 1 month ago
%d bloggers like this: