I’ve been working on code auditing for a project that makes use of the latest ASP.NET MVC api. Turned out that it didn’t benefit from the built-in CSRF mitigation available since preview 5 version of the api. The mitigation is quite simple and generates tokens and validates them inside controller actions. As usual, I rather spend my time looking for more complex issues during code audit and I prefer relying on the FxCop automation we have to spot this sort of problem earlier so I implemented a simple rule that will catch where the mitigation should be used. The rule will look for controller actions that are available via POST and look to see if the method declares the ValidateAntiForgeryTokenAttribute. You can read more on how to implement the mitigation in your code by reading Steve Sanderson blog post on the subject.

Installation

  1. Copy MVCAntiforgeryTokenChecker.dll in your FxCop rule folder. By default it's under c:\Program Files\Microsoft FxCop 1.36\Rules
  2. Launch FxCop and the rule is "AntiforgeryToken used" under "ASP.NET MVC Security" group.