Opticon Stockholm is on Tuesday September 10th, hope to see you there!

Per Bjurström
Apr 23, 2010
  10596
(1 votes)

Using the CSRF page extension in CMS 6

EPiServer CMS 6 has a new page extension that add CSRF prevention on a Web form. I won’t go into detail of the CSRF exploit since Wikipedia has a good description. In short, someone uses a visitors browser to send a malicious request to another site were the user is already logged in to (or trusts in some way).

The countermeasure implemented in this page extension is a per-user cryptographically generated token stored in a cookie. A hidden field on the page is generated based on the user token and salted with information specific to that page. Whenever a post is made to the page we validate the tokens in the PreInit phase. There are no server-state involved except a per-site secret stored in the database used to protect the values from tampering (safe for load balancing).

This page extension called AntiForgeryValidation is completely transparent to the user as long as they have cookies enabled and hopefully to you as a developer as well.

using EPiServer.Web.PageExtensions;

namespace EPiServer.Templates
{
/// <summary>
/// The default start page
/// </summary>
public partial class Default : TemplatePage
{
public Default() : base(AntiForgeryValidation.OptionFlag,0)
{
}

But, you do want to test that it actually works after you implemented the code, the easiest way is to use a tool like Firecookie to manipulate the request. For example: Make a request to the page and store away the cookie __epiAntiForgeryToken_X, close the browser and go the page again, now edit the cookie and paste the old value before doing a submit to the page. The error you will get should be “This request has probably been tampered with. Close the browser and try again.”.

There are some limitations, it won’t work with output caching since we need the unique field on the page. Also, if you are doing some custom coding you need to post the hidden field  “_epiAntiForgeryToken” as well or the page won’t validate. Also, the user must have cookies enabled.

This extension is used extensively on administrative interfaces in EPiServer CMS 6 that is based on Web forms. If you ever worked with ASP.NET MVC you will know that this feature exists in MVC as well and they use the same type of prevention scheme.

There are some alternative implementations of CSRF protection in ASP.NET Web forms like changing how ViewState is generated or by using Session State but we did not want to take an dependency on those features, you choose what scheme fits your requirements.

Le me know if you have any questions.

Apr 23, 2010

Comments

Sep 21, 2010 10:33 AM

I love the fact that EPiServer is responding to the requirements of its corporate customers - in particular financial institutes. They are the kind that require this kind of easy-to-implement yet effective vulnerability exploit prevention.

I personally will use this for all pages I create just as de rigeur for forms authentication as PageTypeBuilder is for type handling.

Thank you for a great article that has proved interesting. It's a shame that there are so many sites still using version 5 - for which I assume there are no ways to prevent this CSRF exploit? Are there any techniques that can be applied at this level?

Sep 21, 2010 10:33 AM

Hi Chris, thanks for the feedback. There is one simple approach if you are using ViewState and SessionState: http://haacked.com/archive/2009/04/02/csrf-webforms.aspx. OWASP has a module as well even though I haven't tested it.

Andrey Kozhyn
Andrey Kozhyn Apr 26, 2011 10:35 AM

Is there any way to disable it for login page?

Mar 16, 2012 09:49 AM

I am getting this error: This request has probably been tampered with. Close the browser and try again. We have not implemented this code (as far as I am aware). It is happening (seemingly) randomly and we would like to stop it. There is a forum entry http://world.episerver.com/Modules/Forum/Pages/Thread.aspx?id=50746&epslanguage=en
but I dont understand if there is a solution.

edit: It happens even in admin mode

Please login to comment.
Latest blogs
Handling Nynorsk and Bokmål in Optimizely CMS

Warning: Blog post about Norwegian language handling (but might be applicable to other languages and/or use cases). Optimizely have flexible and...

Haakon Peder Haugsten | Sep 5, 2024

Remove Unwanted properties for Headless Implementation using Content Delivery API

While working with Headless, whenever we want to send data to the front end, many properties are also shown in JSON that we don't wish to, which...

PuneetGarg | Sep 4, 2024

Optimizely Headless Form Setup

1. Create empty CMS applications First, let’s setup an empty CMS application. Install the NuGet packages in your solution using the NuGet Package...

Linh Hoang | Sep 4, 2024

Default caching on search request on Search & Navigation

For the better performance, Search & Navigation .Net client has provided StaticallyCacheFor method for caching your search result in a specific of...

Manh Nguyen | Sep 4, 2024