I understand Cross-Site Request Forgery and found numerous blogs,articles on web to handle it in asp.net mvc,but have not got a decent links,helpful solutions to deal with CSRF attacks in asp.net web applications.I have ran a security tool on my website,and its reporting the cross site request forgery and showing the risk
It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
My question is how to deal with CSRF attacks in ASP.NET web applications?
The ViewState mechanism can be used to protect against CSRF in a web forms app.
ASP.NET has an option to maintain your ViewState. The ViewState indicates the status of a page when submitted to the server. The status is defined through a hidden field placed on each page with a control. Viewstate can be used as a CSRF defense, as it is difficult for an attacker to forge a valid Viewstate. It is not impossible to forge a valid Viewstate since it is feasible that parameter values could be obtained or guessed by the attacker. However, if the current session ID is added to the ViewState, it then makes each Viewstate unique, and thus immune to CSRF
Also regarding your other question on CSRF:
It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
A CSRF attack usually doesn't allow an attacker to view anything, only to make requests on behalf of the logged in user. However, if there was a change password option that doesn't require the current password to be submitted, the attacker might be able to call this function using the victim's session for the attacker to then later log in directly as the victim user.