views:

117

answers:

2

We have an ASP.NET web forms application that is probably vulnerable to Cross-site request forgery (CSRF) attack. How do we begin to write a unit test that will alert us to this? Using NUnit. Some tips or pointers would be great.

A: 

You need to understand how CSRF is done. Get into the hackers way of thinking. You then need to create automated tests performing CSRF. This will probably not be a unit test (testing a single unit), more like an integration test. When you have succeeded in performing the CSRF attack - when your tests are red - you'll be able to fix the problem.

Check out the CSRF FAQ for more information on how to perform the attack. And here's a good wiki article about Testing for CSRF you should check out.

Torbjørn
+1  A: 

CSRF is an attack where a user is tricked (by a link in an email for example) to perform an action on attacker's behalf, while being already authenticated on your website .

There are several ways to reduce the risk which you should test for -

  • GET requests should not have side-effects - all actions should be done using POST requests only. It's more difficult for an attacker to generate a POST request originating from the user.
  • You want to have a random unique per-page string sent to the user and checked on return to the server. The user's cookie will be sent in a request caused by the attacker, but the attacker will not know the string stored in the form. In .NET, I think you can use Viewstate for this.
  • For especially sensitive (or attack prone) actions or after some period of inactivity, you may request repeat authentication by the user

OWASP (linked by Torbjørn) is indeed an excellent resource and contains much more detailed explanation and advice.

Yevgeny Doctor