By adding a unique value per user per page, it will not
be possible for an attacker to substitute his own viewstate when creating a CSRF exploit.
This approach has a couple major weaknesses, however. Firstly, the security contracts
related to the viewstate user key are not well documented by Microsoft. Even though the
protection may be adequate today, Microsoft has the right to change it in the future. Microsoft
can make these changes because the documentation never makes any promises or
guarantees to application developers. Secondly, developers often misuse the viewstate
user key by not providing an appropriate value. For the application to protect against
CSRF effectively, an attacker must not be able to supply or gain access to the value used
as the viewstate user key. A good example of a value would be a session ID that is stored
within the user??™s cookie and is not predictable. To provide further protections, combine
the session ID value with a unique value per page. By varying the key on a per-page basis,
the difficulty for the attacker increases as the key cannot be reused. After specifying the
key value, make sure to protect the application by referencing the viewstate.
Pages:
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259