Using Webforms 4.5, and the code from the link below to prevent CSRF attacks. We aren't using Master pages so this same code is inlcuded in a Sitecore base layout.
https://software-security.sans.org/developer-how-to/developer-guide-csrf
This doesnt seem to prevent a CSRF attack as if we have a script outside of the site, it is able to post manipulated data to the site. We've added a view state (copied from web page) to this script.
This CSRF prevention code compares a token value set in the view state to an in-memory variable. However, as our script includes view state, it includes the view state variable and so this code doesnt produce an error as the view state variable matches the in-memory one.
I would expect this code to work as it's part of web forms Master pages... any ideas why it's not working for us?
A CSRF attack is a write-only attack. For example,
Hacker sends out a million emails containing an "image" that actually links to https://www.SomeBank.com/Transfer?Amount=1000&ToAccount=HackersAccount
Some percentage of the million emails are opened
Some percentage of the users who open the emails are also logged into www.Somebank.com
When the image is "retrieved" the email client actually sends a request to the banking site and moves the money. The request succeeds because cookies for www.SomeBank.com are passively sent along with the request.
The CSRF token provides a piece of information that is not known and not knowable to the hacker. When the request is received without the token, the transfer is denied.
If the hacker has access to the page, and can read the token, the mechanism does not work, as you are seeing. Of course, if he has access to the page, you have bigger problems!