Cross-Site Request Forgery (CSRF) is an attack outlined in the OWASP Top 10 whereby a malicious website will send a request to a web application that a user is already authenticated against from a different website. Much detailed & better explanation is here
To prevent CSRF attacks in SharePoint application pages, which POST’s (http) data to the server, use SharePoint FormDigest Control. This FormDigest Control inserts a generated digest (token) into the form page, when it is requested (usually through GET )& in the code behind we can validate this token using SPUtility.ValidateFormDigest()to make sure that the form/page is not tampered with. Its a good practice to validate the FormDigest in the code behind, which writes data to the DB/Server/SP list,..ideally any write operation that uses RunWithElevatedPrivileges . Two steps:
1. Initialize FormDigest control in the custom application page.
<SharePoint:FormDigest runat="server"/>
2. Check for
SPUtility.ValidateFormDigest()
in the code behind POST methods of application pages to make sure that the form is not tampered with.
Hi , thanks for the solution. A quick question. Does replace captcha implementaion. Do I need to still implement Captcha?
LikeLike
The purpose of Captcha is different, so it has to be implemented for that purpose. Some Applications even preserve for a long time what users has entered for captcha.
Preventing CSRF attacks does not replace captcha.
LikeLike
[…] To keep this short(er) I have cut out the RunWithElevatedPrivileges bits and such, you actually might not need to have that depending on your user permissions, but if you leave it in then I suggest reading this. […]
LikeLike