CSRF question

Stephen Holdorf

I am investigating a CSRF finding in asp.net c# code behind as shown in the following code:

LinkButton LinkButtonControl = new LinkButton();
LinkButtonControl.ID = Name;

Now, I feel that the following code using ViewStateUserKey is the right approach:

protected override OnInit(EventArgs e) {
base.OnInit(e);
if (User.Identity.IsAuthenticated)
ViewStateUserKey = Session.SessionID; }

However; another person I work with thinks that the Httputility.htmlencode method is the best way to correct the problem. First I don't know if the Httputility.htmlencode method is the best way and if so I would I use it?

Anil Vaghasiya

Hello, Very nice question i'm also interested in Website Security Please follow the Below link that might be helpful. Hack Proof Your ASP.NET Application Part 3 (Cross Site Request Forgery)[^] http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages[^] http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-%28csrf%29-attacks[^]

Richard Deeming

The HtmlEncode method is one of a group of methods used to prevent XSS (Cross-Site Scripting)[^] - that's where you take input from the user and write it to the output without properly encoding it. The method provides zero protection from a CSRF vulnerability. CSRF (aka XSRF) is a Cross-Site Request Forgery[^] vulnerability. That's where a script on another site can force the user's browser to make an authenticated request to your site without the user's knowledge. It looks like Anil has already given you some good links for dealing with this class of vulnerability.

---

"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer