Page MenuHomePhabricator

Alert group HTML form without CSRF protection
Closed, InvalidPublic


Web Server
Alert group HTML form without CSRF protection
Severity Medium
This alert requires manual confirmation
Cross-Site Request Forgery (CSRF, or XSRF) is a vulnerability wherein an attacker tricks a victim into
making a request the victim did not intend to make. Therefore, with CSRF, an attacker abuses the trust
a web application has with a victim's browser.
Acunetix found an HTML form with no apparent anti-CSRF protection implemented. Consult the 'Attack
details' section for more information about the affected HTML form.
Verify if this form requires anti-CSRF protection and implement CSRF countermeasures if necessary.
The recommended and the most widely used technique for preventing CSRF attacks is know as an
anti-CSRF token, also sometimes referred to as a synchronizer token. The characteristics of a well
designed anti-CSRF system involve the following attributes.
The anti-CSRF token should be unique for each user session
The session should automatically expire after a suitable amount of time
The anti-CSRF token should be a cryptographically random value of significant length
The anti-CSRF token should be cryptographically secure, that is, generated by a strong PseudoRandom Number Generator (PRNG) algorithm
The anti-CSRF token is added as a hidden field for forms, or within URLs (only necessary if GET
requests cause state changes, that is, GET requests are not idempotent)
The server should reject the requested action if the anti-CSRF token fails validation
When a user submits a form or makes some other authenticated request that requires a Cookie, the
anti-CSRF token should be included in the request. Then, the web application will then verify the
existence and correctness of this token before processing the request. If the token is missing or
incorrect, the request can be rejected.
Alert variants
GET /w/index.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive

Event Timeline

MaxSem changed the visibility from "Custom Policy" to "Public (No Login Required)".

Some further discussions of this oft-reported issue: T14945, T40417.