In my ASP web application, while I'm doing the pen test using OWASP, it shows
form does not contain an anti-csrf token
So I read several articles to avoid this issue. I found this solution from Stackoverflow.
As he saying I need to add this code <%= System.Web.Helpers.AntiForgery.GetHtml() %> inside the web form.But My .aspx code as follows.
<%@ Page Title="" Language="C#" MasterPageFile="~/Common/OLTMaster.Master" AutoEventWireup="true"
CodeBehind="MyAccount.aspx.cs" Inherits="LTSWeb.Admin.MyAccount" %>
<asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1" runat="server">
<script type="text/javascript" src="../Scripts/common.js"></script>
<asp:UpdatePanel ID="UpdatePanel1" runat="server">
<ContentTemplate>
<table cellpadding="0" cellspacing="0" width="100%">
<tr>
<td align="left" valign="top">
<div class="MyAccount">
<div class="sectionContentWrapUp">
<table style="width: 100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td align="center" style="padding-bottom: 10px;">
<table style="width: 100%;" class="gridOutLine striped-table">
<tr>
<td align="right" width="50%">User Name:
</td>
<td align="left" width="50%">
<asp:TextBox ID="txtUserName" runat="server" CssClass="txtbox" Width="120px"
MaxLength="30" TabIndex="1"></asp:TextBox>
</td>
</tr>
<tr>
<td align="right" width="50%">Password:
</td>
<td align="left" width="50%">
<asp:RequiredFieldValidator ID="rvPassword" runat="server" ControlToValidate="txtPassword"
CssClass="errorMsg" ErrorMessage="Invalid password" ValidationGroup="vgUser">*</asp:RequiredFieldValidator>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td align="left">
<asp:ImageButton ID="btnSaveUser" runat="server" CssClass="buttonHover" OnClick="btnSaveUser_Click"
SkinID="btnSave" />
</td>
</tr>
</table>
</div>
</div>
</td>
</tr>
</table>
</ContentTemplate>
</asp:UpdatePanel>
</asp:Content>
And this is how my aspx.cs
protected void Page_Load(object sender, EventArgs e)
{
try
{
if (!Page.IsPostBack)
{
//Some code here
}
}
catch (Exception ex)
{
Logger.LogErrorEvent(ex);
}
}
protected void btnSaveUser_Click(object sender, ImageClickEventArgs e)
{
// user data save code goes here
}
According to this answer. How I need to change my code. please help me. And I found another answer to prevent CSRF attack. But in my Master page does no contain Page_Init function. Do I need to add it manually?
