SharePoint - How to prevent cross-site request forgery

Cross site forgery is also known as one-click attack or session riding and abbreviated as CSRF or XSRF (see Wikipedia - It is outlined in one of OWASP Top 10 security high vulnerability checklist - hence every developer must be aware of how to prevent this attack from their code. If you browse to SharePoint application page inside hive folder, you will see following line: <SharePoint:FormDigest runat="server” /> this particular control will actually provide form digest which is set of token strings that has been generated by server for the requested page. In the server side, there will be logic to validate this form digest before the server process the POST request from client (application page). The code is simply: SPUtility.ValidateFormDigest() that will return true/false. If you use JavaScript to send POST request to server, you will need to include the token value from form digest to all your request. In this case you can read the form digest value from hidden element __REQUESTDIGEST , hence you can use following JavaScript or its equivalent var formDigest = document.getElementById("__REQUESTDIGEST”).value; then use the formDigest as request body in addition to the actual form body post or as request header X-RequestDigest. For reference, heads on following article -

Riwut Libinuko
Sr. Cloud Solution Architect

My research interests include distributed robotics, mobile computing and programmable matter.

comments powered by Disqus