Per Bjurström
Apr 23, 2010
  10625
(1 votes)

Using the CSRF page extension in CMS 6

EPiServer CMS 6 has a new page extension that add CSRF prevention on a Web form. I won’t go into detail of the CSRF exploit since Wikipedia has a good description. In short, someone uses a visitors browser to send a malicious request to another site were the user is already logged in to (or trusts in some way).

The countermeasure implemented in this page extension is a per-user cryptographically generated token stored in a cookie. A hidden field on the page is generated based on the user token and salted with information specific to that page. Whenever a post is made to the page we validate the tokens in the PreInit phase. There are no server-state involved except a per-site secret stored in the database used to protect the values from tampering (safe for load balancing).

This page extension called AntiForgeryValidation is completely transparent to the user as long as they have cookies enabled and hopefully to you as a developer as well.

using EPiServer.Web.PageExtensions;

namespace EPiServer.Templates
{
/// <summary>
/// The default start page
/// </summary>
public partial class Default : TemplatePage
{
public Default() : base(AntiForgeryValidation.OptionFlag,0)
{
}

But, you do want to test that it actually works after you implemented the code, the easiest way is to use a tool like Firecookie to manipulate the request. For example: Make a request to the page and store away the cookie __epiAntiForgeryToken_X, close the browser and go the page again, now edit the cookie and paste the old value before doing a submit to the page. The error you will get should be “This request has probably been tampered with. Close the browser and try again.”.

There are some limitations, it won’t work with output caching since we need the unique field on the page. Also, if you are doing some custom coding you need to post the hidden field  “_epiAntiForgeryToken” as well or the page won’t validate. Also, the user must have cookies enabled.

This extension is used extensively on administrative interfaces in EPiServer CMS 6 that is based on Web forms. If you ever worked with ASP.NET MVC you will know that this feature exists in MVC as well and they use the same type of prevention scheme.

There are some alternative implementations of CSRF protection in ASP.NET Web forms like changing how ViewState is generated or by using Session State but we did not want to take an dependency on those features, you choose what scheme fits your requirements.

Le me know if you have any questions.

Apr 23, 2010

Comments

Sep 21, 2010 10:33 AM

I love the fact that EPiServer is responding to the requirements of its corporate customers - in particular financial institutes. They are the kind that require this kind of easy-to-implement yet effective vulnerability exploit prevention.

I personally will use this for all pages I create just as de rigeur for forms authentication as PageTypeBuilder is for type handling.

Thank you for a great article that has proved interesting. It's a shame that there are so many sites still using version 5 - for which I assume there are no ways to prevent this CSRF exploit? Are there any techniques that can be applied at this level?

Sep 21, 2010 10:33 AM

Hi Chris, thanks for the feedback. There is one simple approach if you are using ViewState and SessionState: http://haacked.com/archive/2009/04/02/csrf-webforms.aspx. OWASP has a module as well even though I haven't tested it.

Andrey Kozhyn
Andrey Kozhyn Apr 26, 2011 10:35 AM

Is there any way to disable it for login page?

Mar 16, 2012 09:49 AM

I am getting this error: This request has probably been tampered with. Close the browser and try again. We have not implemented this code (as far as I am aware). It is happening (seemingly) randomly and we would like to stop it. There is a forum entry http://world.episerver.com/Modules/Forum/Pages/Thread.aspx?id=50746&epslanguage=en
but I dont understand if there is a solution.

edit: It happens even in admin mode

Please login to comment.
Latest blogs
Multiple Anonymous Carts created from external Head front fetching custom Api

Scenario and Problem Working in a custom headless architecture where a NextJs application hosted in Vercel consumes a custom API built in a...

David Ortiz | Oct 11, 2024

Content Search with Optimizely Graph

Optimizely Graph lets you fetch content and sync data from other Optimizely products. For content search, this lets you create custom search tools...

Dileep D | Oct 9, 2024 | Syndicated blog

Omnichannel Analytics Simplified – Optimizely Acquires Netspring

Recently, the news broke that Optimizely acquired Netspring, a warehouse-native analytics platform. I’ll admit, I hadn’t heard of Netspring before,...

Alex Harris - Perficient | Oct 9, 2024 | Syndicated blog

Problem with language file localization after upgrading to Optimizely CMS 12

Avoid common problems with xml file localization when upgrading from Optimizely CMS 11 to CMS 12.

Tomas Hensrud Gulla | Oct 9, 2024 | Syndicated blog

Optimizely Autocomplete (Statistics)

A user starts typing in the search input, and it returns suggestions for phrases they might be searching for. How to achieve this?

Damian Smutek | Oct 9, 2024 | Syndicated blog

Optimizely Forms: You cannot submit this form because an administrator has turned off data storage.

Do not let this error message scare you, the solution is quite simple!

Tomas Hensrud Gulla | Oct 4, 2024 | Syndicated blog