CSRF Attack on the Website.

harshal bundelkhandi asked on January 31, 2017 08:36

Hello Support, We are getting below issue. as we on my website we have third party login & redirection to our website.

Our Kentico instance having multiple website. so we can't able to disable & App Key.

Message: CSRF attack detected.

Exception type: CMS.Protection.CsrfException Stack Trace: at CMS.Protection.CsrfProtection.ThrowCsrfException(Exception innerException) at CMS.Protection.CsrfProtection.OnPostMapRequestHandlerExecute(Object sender, EventArgs eventArgs) at CMS.Base.AbstractHandler.CallEventHandler[TArgs](EventHandler1 h, TArgs e) at CMS.Base.AbstractHandler.Raise[TArgs](String partName, List1 list, TArgs e, Boolean important) at CMS.Base.SimpleHandler2.RaiseExecute(TArgs e) at CMS.Base.SimpleHandler2.RaiseExecute(TArgs e) at CMS.Base.SimpleHandler`2.StartEvent(TArgs e) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Message: Value cannot be null. Parameter name: s

Exception type: System.ArgumentNullException Stack Trace: at System.Convert.FromBase64String(String s) at CMS.Protection.CsrfProtection.OnPostMapRequestHandlerExecute(Object sender, EventArgs eventArgs)

Regards, Harshal

Correct Answer

Chetan Sharma answered on January 31, 2017 08:52

Harshal, what kind of code is resulting in the CSRF exception? Is it happening throughout the website or any particular page?

Did you read these three articles specially while implementing protection against CSRF on your website?

Protection on CSRF. An article by Kentico team

Developing secure websites

Best practices to avoid cross site scripting

0 votesVote for this answer Unmark Correct answer

Recent Answers

harshal bundelkhandi answered on January 31, 2017 09:00

Hi Chetan,

Thank you for quick reply.

It's applying on single page.

Regards, Harshal

0 votesVote for this answer Mark as a Correct answer

Michal Samuhel answered on January 31, 2017 10:23

Harshal, I see you had mentioned custom redirect and authentication. Are you making any post requests to the page? CSRF protection should ensure that post requests are coming from the same source so that we check request headers for hidden field and cookie.Based on the stack trace your redirect does not seem to contain these header parameters.

I do not know about the login and redirect, but you need to ensure either that it makes a get request, but depending on version, that you are using there might be a workaround for version 10.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.