1

Whereas I'm aware that the synchronizer pattern is the recommended approach to prevent CSRF attacks, I am in a situation where it would be a lot faster to implement the origin header check.

I was hoping it would be very easy to have a server-wide filter in IIS (7.5) which would allow me to block POST requests that are coming from a different domain. It is possible to block POST requests, and it is possible to block requests coming from a certain domain. However, it seems that no filters exist that combine the two. So my question is:

Is there a module/manner to easily block POST requests that are coming from different domains in IIS 7.5?

Michael
  • 5,393
  • 2
  • 32
  • 57
  • Can you somehow combine this https://technet.microsoft.com/en-us/library/cc730889.aspx with blocking POST requests? Otherwise you can install a firewall in front of your IIS to do the filtering for you – Purefan Jun 09 '15 at 10:06
  • You realize that origin headers can be spoofed right? – Jeroen Jun 09 '15 at 15:57
  • @Purefan, a firewall would probably do the trick, but that is a pretty heavy solution. I was hoping something lightweight could do the trick. – Michael Jun 09 '15 at 16:09
  • @Jeroen-ITNerdbox, please see http://security.stackexchange.com/q/91165/38069 for further information about origin headers to prevent CSRF attacks. – Michael Jun 09 '15 at 16:10

1 Answers1

2

You could do this with a Custom HTTP Module, written in ASP.NET. The ASP.NET is required to run the module, although the rest of your deployment need not be in ASP.NET. Note this code is untested, but should put you on the right lines. Of course this does not implement the full logic described in my other answer for dealing with CSRF using Origin, so it only affords some protection (i.e. no old browser protection).

Example adapted from Walkthrough: Creating and Registering a Custom HTTP Module.

Create Module

using System;
using System.Web;
public class HelloWorldModule : IHttpModule
{
    public HelloWorldModule()
    {
    }

    public String ModuleName
    {
        get { return "HelloWorldModule"; }
    }

    // In the Init function, register for HttpApplication 
    // events by adding your handlers.
    public void Init(HttpApplication application)
    {
        application.BeginRequest += 
            (new EventHandler(this.Application_BeginRequest));
    }

    private void Application_BeginRequest(Object source, 
         EventArgs e)
    {
    // Create HttpApplication and HttpContext objects to access
    // request and response properties.
        HttpApplication application = (HttpApplication)source;
        HttpContext context = application.Context;

        if (context.Request["Origin"] != "https://www.example.com")
        {
          // Deny request - spit out 403
        }

    }

    public void Dispose() { }
}

To register the module for IIS 6.0 and IIS 7.0 running in Classic mode

<configuration>
  <system.web>
    <httpModules>
      <add name="HelloWorldModule" type="HelloWorldModule"/>
     </httpModules>
  </system.web>
</configuration>

To register the module for IIS 7.0 running in Integrated mode

<configuration>
  <system.webServer>
    <modules>
      <add name="HelloWorldModule" type="HelloWorldModule"/>
    </modules>
  </system.webServer>
</configuration>

As you are running MVC, make sure you alter the one in the root (not the Views folder).

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • This is certainly a solution to what I needed. However, your answer to my other question has got me to doubt: it is probably better to go with the synchronizer pattern in order to support older browsers. – Michael Jun 10 '15 at 14:22