Antiforgery.Validate() does not seem to work? CSRF issue

Question

I have placed the code below inside my forms. The request would then show a token in its cookie, and also a hidden field is created when my html is being generated. Note that both the cookie and the hidden field have different values.

<%= System.Web.Helpers.AntiForgery.GetHtml() %>

Everytime i postback, i have the validator shown below.

if (IsPostBack)
{
   AntiForgery.Validate();
}

The weird part is that even if I change the cookie in the hidden field forcefully (using MITM software like burp). the validator would not even detect that the token has been changed.
I have listed down the generated tokens (refreshing the page a couple of times) and tried using one of the listed ones to manipulate the most current request. And to no surprise, the validator does not catch an error.
I read that the tokens are session based so I tried to use the token on another session (another user). and still, the validator does not catch anything.
Changing the token in the cookie would catch an error, but that cookie token is constant and is the same for all forms.

Is there anything wrong or any other missing pieces to this issue?

What version of ASP.NET Web Forms? What version of VS? stackoverflow.com/help/how-to-ask — IrishChieftain

shawkyz1 shawkyz1 · Accepted Answer · 2018-03-27T15:30:36

Well, It's advised on the OWASP Cheatsheet to use/check the ViewStateUserKey and to double submit the cookie value. You can check this answer.

Although this will only protect the requests coming from the Web Forms. In other cases like sending an AJAX POST to the server won't have the token. So you may in this case implement a custom header with the an auto-generated token and check it on the server side. https://security.stackexchange.com/questions/23371/csrf-protection-with-custom-headers-and-without-validating-token

Antiforgery.Validate() does not seem to work? CSRF issue

1 Answers