Avoid disabling the XSRF/CSRF Protection (ASP.NET Core MVC)

CRITICAL

Rule Definition
CSRF takes advantage of the fact that most web apps allow attackers to predict all the details of a particular action. Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones. In ASP.NET Core MVC, the Razor Pages automatic generation of antiforgery tokens for HTML form elements can be disabled: - by explicitly disable antiforgery tokens with the asp-antiforgery attribute - by opting-out the form element of Tag Helpers by using the Tag Helper - remove the FormTagHelper from the view

Remediation
Do not disable antiforgery tokens with the asp-antiforgery attribute Do not opt-out the form element of Tag Helpers by using the Tag Helper Do not remove the FormTagHelper from the view

Violation Code Sample

// VIOLATION: Explicitly disable antiforgery tokens with the asp-antiforgery attribute <form method="post" asp-antiforgery="false"> ... </form> // VIOLATION: Form element is opted-out of Tag Helper <!form method="post"> ... </!form> // VIOLATION: FormTagHelper removed from the view @removeTagHelper Microsoft.AspNetCore.Mvc.TagHelpers.FormTagHelper, Microsoft.AspNetCore.Mvc.TagHelpers

Fixed Code Sample

// NO VIOLATION: protected by default <form method="post"> ... </form>

Reference

https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) http://cwe.mitre.org/data/definitions/352.html OWASP Top 10 2007 -A5-Cross Site Request Forgery (CSRF) OWASP Top 10 2010 -A5-Cross Site Request Forgery (CSRF) OWASP Top 10 2013 -A8-Cross Site Request Forgery (CSRF)

Related Technologies

Health Factor

Security

Technical Criterion
Secure Coding - Input Validation

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

99.95%

Don't Know

100.00%

Financial Services

100.00%

Want more stats? Register now!