Checking for ViewStateUserKey using FxCop
ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. I've implemented a basic FXCop rule to verify if this property is used on each page. The rule is basic so it doesn't look at what is assigned to the property and only looks if something is assigned to it. The ViewStateUserKey property is not full proof. If you are not using viewstate on the page it doesn't help much. You can also review this post regarding limitation of the ViewStateUserKey. I strongly recommend that you include this rule when running fxcop or code analysis in visual studio on web projects.
Installation
- Unzip and select the appropriate rule for the fxcop release you are using
- For Visual Studio Team System 2005 select the fxcop 1.35 version and place it in C:\Program Files\Microsoft Visual Studio 8\Team Tools\Static Analysis Tools\FxCop\Rules
- For Visual Studio Team System 2008 select the fxcop 1.36 version and place it in C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Static Analysis Tools\FxCop\Rules
- The rule can be enabled under the "ASP.NET Security" section and it's called "ViewStateUserKey used"
Update
I've been working with projects using ASP.NET MVC and made some update to the rule to ignore classes inheriting from ViewPage since MVC doesn't use ViewState.