Page MenuHomePhabricator
Create Task
Maniphest T238072

Alert group HTML form without CSRF protection
Closed, InvalidPublic
Actions

Description

Web Server
Alert group HTML form without CSRF protection
Severity Medium
Description
This alert requires manual confirmation
Cross-Site Request Forgery (CSRF, or XSRF) is a vulnerability wherein an attacker tricks a victim into
making a request the victim did not intend to make. Therefore, with CSRF, an attacker abuses the trust
a web application has with a victim's browser.
Acunetix found an HTML form with no apparent anti-CSRF protection implemented. Consult the 'Attack
details' section for more information about the affected HTML form.
Recommendations
Verify if this form requires anti-CSRF protection and implement CSRF countermeasures if necessary.
The recommended and the most widely used technique for preventing CSRF attacks is know as an
anti-CSRF token, also sometimes referred to as a synchronizer token. The characteristics of a well
designed anti-CSRF system involve the following attributes.
The anti-CSRF token should be unique for each user session
The session should automatically expire after a suitable amount of time
The anti-CSRF token should be a cryptographically random value of significant length
The anti-CSRF token should be cryptographically secure, that is, generated by a strong PseudoRandom Number Generator (PRNG) algorithm
The anti-CSRF token is added as a hidden field for forms, or within URLs (only necessary if GET
requests cause state changes, that is, GET requests are not idempotent)
The server should reject the requested action if the anti-CSRF token fails validation
When a user submits a form or makes some other authenticated request that requires a Cookie, the
anti-CSRF token should be included in the request. Then, the web application will then verify the
existence and correctness of this token before processing the request. If the token is missing or
incorrect, the request can be rejected.
Alert variants
Details
GET /w/index.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive

Related Objects

Event Timeline

SokoteZaman created this task.Nov 12 2019, 12:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 12 2019, 12:55 PM
MaxSem closed this task as Invalid.Nov 12 2019, 3:50 PM
MaxSem changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett subscribed.Nov 12 2019, 4:55 PM

Some further discussions of this oft-reported issue: T14945, T40417.

chasemp added a project: Security.Feb 10 2020, 10:51 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL