Fxcop rule to verify the use of ASP.NET MVC AntiforgeryTokenAttribute


I’ve been working on code auditing for a project that makes use of the latest ASP.NET MVC api. Turned out that it didn’t benefit from the built-in CSRF mitigation available since preview 5 version of the api. The mitigation is quite simple and generates tokens and validates them inside controller actions. As usual, I rather spend my time looking for more complex issues during code audit and I prefer relying on the FxCop automation we have to spot this sort of problem earlier so I implemented a simple rule that will catch where the mitigation should be used. The rule will look for controller actions that are available via POST and look to see if the method declares the ValidateAntiForgeryTokenAttribute. You can read more on how to implement the mitigation in your code by reading Steve Sanderson blog post on the subject.


Installation




  1. Copy MVCAntiforgeryTokenChecker.dll in your FxCop rule folder. By default it’s under c:\Program Files\Microsoft FxCop 1.36\Rules


  2. Launch FxCop and the rule is “AntiforgeryToken used” under “ASP.NET MVC Security” group.

MVCAntiforgeryTokenChecker.zip

Comments (3)

  1. eti says:

    Hi, very useful plugin but it’s reporting private controller methods that return ActionResult as warnings. Since the private mehtods can’t be called as actions probably the rule should not apply to them.

    Anyway thanks for this rule.

  2. daveblack says:

    Hi Sacha,

    Is there a version of this that works with FxCop 10.0?  Thank you for your time : )