CS.CSRF.VALIDATE

Validation of "POST request data access" is not done

Cross-site request forgery (CSRF) prevention is a complex problem with no universal solution. One way to reduce the chances of introducing CSRF vulnerabilities is to use anti-forgery tokens that request the browser send back the token on each request. in ASP.NET WebForm applications, CSRF validation can be done by using Microsofts's AntiForgery.Validate() method or similar custom methods.

The CS.CSRF.VALIDATE checker flags instances where return values from properties, such as MyTextbox.Text or Request.Form["id"], are used without having been first validated by the AntiForgery.Validate() method.

Vulnerability and risk

Cross-site request forgery (also known as XSRF or CSRF) is an attack against web-hosted apps whereby a malicious web app can influence the interaction between a client browser and a web app that trusts that browser. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc., and can result in the exposure of data or unintended code execution. This form of exploit is also known as a one-click attack or session riding because the attack takes advantage of the user's previously authenticated session.

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
11
12
13
  using System;
  using System.Web.UI;
    
  namespace CSRF_checker
  {
      public partial class _Default : Page
      {
          protected void Submit_Click(object sender, EventArgs e)
          {
             var txt = MyTextbox.Text;   // CS.CSRF.VALIDATE
         }
     }
 } 

In this example, Klocwork reports a defect at line 10 because the code does not validate the input value.

Fixed code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
  using System;
  using System.Web.Helpers;
  using System.Web.UI;
    
  namespace CSRF_checker
  {
      public partial class _Default : Page
      {
          protected void Submit_Click(object sender, EventArgs e)
         {
             AntiForgery.Validate();
             var txt = MyTextbox.Text;   // no CS.CSRF.VALIDATE
         }
     }
 }

In this fixed example, the code validates the input method by using the AntiForgery.Validate method, so Klocwork does not report a defect.

Related checkers

• CS.CSRF.ATTR.NOATTR
• CS.CSRF.ATTR.POST
• CS.CSRF.VSUK.CONSTASSIGN
• CS.CSRF.VSUK.NOASSIGN

External guidance

• CWE-352: Cross-Site Request Forgery
• OWASP A1:2021 Broken Access Control
• AntiForgery.Validate

Security training

Application security training materials provided by Secure Code Warrior.

• Cross Site Request Forgery Training Video - Test your skills with a training example