False Positive Absence of Anti CSRF Token Help

423 views
Skip to first unread message

Issac Holguin

unread,
Jul 14, 2021, 12:15:54 PM7/14/21
to OWASP ZAP User Group
Hello,

I am scanning my .NET Web Forms application and i'm coming across the Absence of Anti CSRF Token flag on my requests. This is happening even after implementing the default master page of the ASP.NET Web Forms default template for a manual anti-CSRF token (used this site https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html)

Would this be a false positive? I could see the cookie in the browser, and the cookie is sent with the request as well, and its still flagged by ZAP. Thanks!

kingthorin+owaspzap

unread,
Jul 14, 2021, 1:00:59 PM7/14/21
to OWASP ZAP User Group
The cookie is only half of the equation, is the param value present in the form? Is the param name identified to ZAP as an anti-CSRF token?

Issac Holguin

unread,
Jul 14, 2021, 1:29:57 PM7/14/21
to OWASP ZAP User Group
No, would you be able to give me an example of what I need to add to the form? It's the form in my Site.Master that's getting flagged for me right now below.

<!-- globalWrapper -->
<div id="globalWrapper">
    <form runat="server">

--------


My implementation for the code behind the master page comes from the solution OWASP has documented here https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html

Following is my VB.NET implementation, vs the C# implementation on the page.

Inherits MasterPage
    Private Const AntiXsrfTokenKey As String = "__AntiXsrfToken"
    Private Const AntiXsrfUserNameKey As String = "__AntiXsrfUserName"
    Private _antiXsrfTokenValue As String

    Protected env As String

    Private Sub Page_Init(sender As Object, e As EventArgs) Handles Me.Init

        ' The code below helps to protect against XSRF attacks
        Dim requestCookie = Request.Cookies(AntiXsrfTokenKey)
        Dim requestCookieGuidValue As Guid
        If requestCookie IsNot Nothing AndAlso Guid.TryParse(requestCookie.Value, requestCookieGuidValue) Then
            ' Use the Anti-XSRF token from the cookie
            _antiXsrfTokenValue = requestCookie.Value
            Page.ViewStateUserKey = _antiXsrfTokenValue
        Else
            ' Generate a new Anti-XSRF token and save to the cookie
            _antiXsrfTokenValue = Guid.NewGuid().ToString("N")
            Page.ViewStateUserKey = _antiXsrfTokenValue

            Dim responseCookie = New HttpCookie(AntiXsrfTokenKey)
            'With {
            'Key.HttpOnly = True,
            'Key.Value = _antiXsrfTokenValue
            '}

            responseCookie.HttpOnly = True
            responseCookie.Value = _antiXsrfTokenValue


            If FormsAuthentication.RequireSSL AndAlso Request.IsSecureConnection Then
                responseCookie.Secure = True
            End If
            Response.Cookies.[Set](responseCookie)
        End If

        AddHandler Page.PreLoad, AddressOf master_Page_PreLoad

    End Sub

    Protected Sub master_Page_PreLoad(sender As Object, e As EventArgs)
        If Not IsPostBack Then
            ' Set Anti-XSRF token
            ViewState(AntiXsrfTokenKey) = Page.ViewStateUserKey
            ViewState(AntiXsrfUserNameKey) = If(Context.User.Identity.Name, [String].Empty)
        Else
            ' Validate the Anti-XSRF token
            If DirectCast(ViewState(AntiXsrfTokenKey), String) <> _antiXsrfTokenValue OrElse DirectCast(ViewState(AntiXsrfUserNameKey), String) <> (If(Context.User.Identity.Name, [String].Empty)) Then
                Throw New InvalidOperationException("Validation of Anti-XSRF token failed.")
            End If
        End If
    End Sub


Thanks for your help!

Reply all
Reply to author
Forward
0 new messages