Views: 8461
Number of votes: 1
Average rating:

Using the CSRF page extension in CMS 6

EPiServer CMS 6 has a new page extension that add CSRF prevention on a Web form. I won’t go into detail of the CSRF exploit since Wikipedia has a good description. In short, someone uses a visitors browser to send a malicious request to another site were the user is already logged in to (or trusts in some way).

The countermeasure implemented in this page extension is a per-user cryptographically generated token stored in a cookie. A hidden field on the page is generated based on the user token and salted with information specific to that page. Whenever a post is made to the page we validate the tokens in the PreInit phase. There are no server-state involved except a per-site secret stored in the database used to protect the values from tampering (safe for load balancing).

This page extension called AntiForgeryValidation is completely transparent to the user as long as they have cookies enabled and hopefully to you as a developer as well.

using EPiServer.Web.PageExtensions;

namespace EPiServer.Templates
{
/// <summary>
/// The default start page
/// </summary>
public partial class Default : TemplatePage
{
public Default() : base(AntiForgeryValidation.OptionFlag,0)
{
}

But, you do want to test that it actually works after you implemented the code, the easiest way is to use a tool like Firecookie to manipulate the request. For example: Make a request to the page and store away the cookie __epiAntiForgeryToken_X, close the browser and go the page again, now edit the cookie and paste the old value before doing a submit to the page. The error you will get should be “This request has probably been tampered with. Close the browser and try again.”.

There are some limitations, it won’t work with output caching since we need the unique field on the page. Also, if you are doing some custom coding you need to post the hidden field  “_epiAntiForgeryToken” as well or the page won’t validate. Also, the user must have cookies enabled.

This extension is used extensively on administrative interfaces in EPiServer CMS 6 that is based on Web forms. If you ever worked with ASP.NET MVC you will know that this feature exists in MVC as well and they use the same type of prevention scheme.

There are some alternative implementations of CSRF protection in ASP.NET Web forms like changing how ViewState is generated or by using Session State but we did not want to take an dependency on those features, you choose what scheme fits your requirements.

Le me know if you have any questions.

Apr 23, 2010

(By , 9/21/2010 12:33:17 PM)

I love the fact that EPiServer is responding to the requirements of its corporate customers - in particular financial institutes. They are the kind that require this kind of easy-to-implement yet effective vulnerability exploit prevention.

I personally will use this for all pages I create just as de rigeur for forms authentication as PageTypeBuilder is for type handling.

Thank you for a great article that has proved interesting. It's a shame that there are so many sites still using version 5 - for which I assume there are no ways to prevent this CSRF exploit? Are there any techniques that can be applied at this level?

pb
(By pb, 9/21/2010 12:33:17 PM)

Hi Chris, thanks for the feedback. There is one simple approach if you are using ViewState and SessionState: http://haacked.com/archive/2009/04/02/csrf-webforms.aspx. OWASP has a module as well even though I haven't tested it.

Andrey Kozhyn
(By Andrey Kozhyn, 4/26/2011 12:35:13 PM)

Is there any way to disable it for login page?

john.walsh
(By john.walsh, 3/16/2012 10:49:19 AM)

I am getting this error: This request has probably been tampered with. Close the browser and try again. We have not implemented this code (as far as I am aware). It is happening (seemingly) randomly and we would like to stop it. There is a forum entry http://world.episerver.com/Modules/Forum/Pages/Thread.aspx?id=50746&epslanguage=en
but I dont understand if there is a solution.

edit: It happens even in admin mode

Please login to comment.