The EnableEventValidation page directive (enabled by default since .Net 2.0) applies a nonce value for form validation and is also a strong control to prevent CSRF attacks.
Michael Sutton Security Evangelist SPI Dynamics http://portal.spidynamics.com/blogs/msutton > -----Original Message----- > From: Chris Weber [mailto:[EMAIL PROTECTED] > Sent: Friday, March 30, 2007 6:12 PM > To: 'pdp (architect)'; full-disclosure@lists.grok.org.uk; 'WASC Forum'; > 'webappsec @OWASP' > Subject: RE: [WEB SECURITY] Preventing Cross-site Request Forgeries > [ASP.NET crowd] > > Nice article. > > For the ASP.NET crowd out there, the will be even more simple, one line of > code. Set the ViewStateUserKey property in your base class or page and > the > unique token protections (similar to CSRF_Guard) will be provided for you. > > http://msdn2.microsoft.com/en- > us/library/system.web.ui.page.viewstateuserkey > .aspx > > This protection mechanism has been available for many years, since the > Framework 1.1 > > > > > > -----Original Message----- > From: pdp (architect) [mailto:[EMAIL PROTECTED] > Sent: Friday, March 30, 2007 3:16 AM > To: full-disclosure@lists.grok.org.uk; WASC Forum; webappsec @OWASP > Subject: [WEB SECURITY] Preventing Cross-site Request Forgeries > > http://www.gnucitizen.org/blog/preventing-csrf > > I briefly covered how simple it is to prevent CSRF attacks. Hope that you > find it useful. > > -- > pdp (architect) | petko d. petkov > http://www.gnucitizen.org > > ------------------------------------------------------------------------ -- > -- > Join us on IRC: irc.freenode.net #webappsec > > Have a question? Search The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/ > > Subscribe via RSS: > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] > > > ------------------------------------------------------------------------ -- > -- > Join us on IRC: irc.freenode.net #webappsec > > Have a question? Search The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/ > > Subscribe via RSS: > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/