CS.CSRF.VSUK.CONSTASSIGN

A const string is assigned to property 'ViewStateUserKey'.

Cross-site request forgery (CSRF) prevention is a complex problem with no universal solution. One way to reduce the chances of introducing CSRF vulnerabilities is to use anti-forgery tokens that request the browser send back the token on each request. In ASP.NET WebForm applications, this can be done by setting the 'ViewStateUserKey' property of "System.Web.UI.Page" classes. The CS.CSRF.VSUK family verifies whether the property 'ViewStateUserKey' is correctly set during the initialization of the page (that is, in one of the following methods: 'Page_Init' or 'OnInit' or 'OnPreInit').

To be effective, the value of this property must not be a constant. The CS.CSRF.VSUK.CONSTASSIGN checker flags assignments during initialization to 'ViewStateUserKey' where a constant is assigned.

Vulnerability and risk

Cross-site request forgery (also known as XSRF or CSRF) is an attack against web-hosted apps whereby a malicious web app can influence the interaction between a client browser and a web app that trusts that browser. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc., and can result in the exposure of data or unintended code execution. This form of exploit is also known as a one-click attack or session riding because the attack takes advantage of the user's previously authenticated session.

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
   using System;
   using System.Web.UI;
    
   namespace Example
   {
       public partial class About : Page
       {
           protected void Page_Init(object sender, EventArgs e)
           {
              //Page Initialization
              ViewStateUserKey = "test"; //@ CS.CSRF.VSUK.CONSTASSIGN
          }
      }
  }

In this example, class 'About', which is of the type 'System.Web.UI.Page' (that is, the code behind an .aspx page), assigns a constant value to 'ViewStateUserKey'. This leaves the website's users vulnerable to CSRF attacks. Klocwork reports this vulnerability as a CS.CSRF.VSUK.CONSTASSIGN defect at line 11.

Fixed code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
   using System;
   using System.Web.UI;
    
   namespace Example
   {
       public partial class About : Page
       {
           protected void Page_Init(object sender, EventArgs e)
           {
              //Page Initialization
              ViewStateUserKey = Session.SessionID; //@no CS.CSRF.VSUK.CONSTASSIGN
          }
      }
  }

In this fixed code example, a non-const value is assigned to 'ViewStateUserKey' during page initialization. This is the Microsoft-recommended way to avoid CSRF attacks in ASP.NET WebForms applications.

Related checkers

• CS.CSRF.ATTR.NOATTR
• CS.CSRF.ATTR.POST
• CS.CSRF.VSUK.NOASSIGN

External guidance

• CWE-352: Cross-Site Request Forgery
• OWASP A1:2021 Broken Access Control

Security training

Application security training materials provided by Secure Code Warrior.

• Cross Site Request Forgery Training Video - Test your skills with a training example