Per Bjurström
Apr 23, 2010
  9978
(1 votes)

Using the CSRF page extension in CMS 6

EPiServer CMS 6 has a new page extension that add CSRF prevention on a Web form. I won’t go into detail of the CSRF exploit since Wikipedia has a good description. In short, someone uses a visitors browser to send a malicious request to another site were the user is already logged in to (or trusts in some way).

The countermeasure implemented in this page extension is a per-user cryptographically generated token stored in a cookie. A hidden field on the page is generated based on the user token and salted with information specific to that page. Whenever a post is made to the page we validate the tokens in the PreInit phase. There are no server-state involved except a per-site secret stored in the database used to protect the values from tampering (safe for load balancing).

This page extension called AntiForgeryValidation is completely transparent to the user as long as they have cookies enabled and hopefully to you as a developer as well.

using EPiServer.Web.PageExtensions;

namespace EPiServer.Templates
{
/// <summary>
/// The default start page
/// </summary>
public partial class Default : TemplatePage
{
public Default() : base(AntiForgeryValidation.OptionFlag,0)
{
}

But, you do want to test that it actually works after you implemented the code, the easiest way is to use a tool like Firecookie to manipulate the request. For example: Make a request to the page and store away the cookie __epiAntiForgeryToken_X, close the browser and go the page again, now edit the cookie and paste the old value before doing a submit to the page. The error you will get should be “This request has probably been tampered with. Close the browser and try again.”.

There are some limitations, it won’t work with output caching since we need the unique field on the page. Also, if you are doing some custom coding you need to post the hidden field  “_epiAntiForgeryToken” as well or the page won’t validate. Also, the user must have cookies enabled.

This extension is used extensively on administrative interfaces in EPiServer CMS 6 that is based on Web forms. If you ever worked with ASP.NET MVC you will know that this feature exists in MVC as well and they use the same type of prevention scheme.

There are some alternative implementations of CSRF protection in ASP.NET Web forms like changing how ViewState is generated or by using Session State but we did not want to take an dependency on those features, you choose what scheme fits your requirements.

Le me know if you have any questions.

Apr 23, 2010

Comments

Sep 21, 2010 10:33 AM

I love the fact that EPiServer is responding to the requirements of its corporate customers - in particular financial institutes. They are the kind that require this kind of easy-to-implement yet effective vulnerability exploit prevention.

I personally will use this for all pages I create just as de rigeur for forms authentication as PageTypeBuilder is for type handling.

Thank you for a great article that has proved interesting. It's a shame that there are so many sites still using version 5 - for which I assume there are no ways to prevent this CSRF exploit? Are there any techniques that can be applied at this level?

Sep 21, 2010 10:33 AM

Hi Chris, thanks for the feedback. There is one simple approach if you are using ViewState and SessionState: http://haacked.com/archive/2009/04/02/csrf-webforms.aspx. OWASP has a module as well even though I haven't tested it.

Andrey Kozhyn
Andrey Kozhyn Apr 26, 2011 10:35 AM

Is there any way to disable it for login page?

Mar 16, 2012 09:49 AM

I am getting this error: This request has probably been tampered with. Close the browser and try again. We have not implemented this code (as far as I am aware). It is happening (seemingly) randomly and we would like to stop it. There is a forum entry http://world.episerver.com/Modules/Forum/Pages/Thread.aspx?id=50746&epslanguage=en
but I dont understand if there is a solution.

edit: It happens even in admin mode

Please login to comment.
Latest blogs
Implementing EmbeddedLocalization in Optimizely CMS 12

My previous post on translation (Translating Optimizely CMS 12 UI components) gives an overview of how to implement the FileXmlLocalizationProvider...

Eric Herlitz | Jan 27, 2023 | Syndicated blog

Breaking changes in EPiServer.CMS.TinyMce 4.0.0

After upgrading to the latest version of EPiServer.CMS.TinyMce, the dropdown with formats disappears. Learn how to get it back!

Tomas Hensrud Gulla | Jan 27, 2023 | Syndicated blog

Translating Optimizely CMS 12 UI components

Optimizely CMS 12 have been out for a while now, but still some elements haven't been properly translated resulting in a GUI defaulting to english....

Eric Herlitz | Jan 26, 2023 | Syndicated blog

Image preview in Optimizely CMS12 all properties view

With these simple steps, you can now see an Image and its Metadata, including size and dimensions, when editing an Image property in Optimizely...

Tomas Hensrud Gulla | Jan 26, 2023 | Syndicated blog