Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
HTML Form Without Anti-CSRF Token Detected
#1
Hi Team,

Got the below vulnerability in this quarter audit. In the servercontroller security option , the checkformid is already True. the version am using is 15.2.62.
Please advise how to fix this

Thanks
Pramod

HTML Form Without Anti-CSRF Token Detected

Cross-Site Request Forgery (CSRF/XSRF) is a vulnerability where an attacker tricks the victim into making a request victim did not make. So the attacker abuses the trust a web application has with a victim's browser. Mostly the HTML forms submitted have CSRF tokens embedded in them while submitting the request. If a form is without this preventive measure enabled then it's very much prone to CSRF attacks and other dependent attacks. We are checking for the existence of the known list of CSRF tokens if none of the tokens are found the target will be flagged.
Reply
#2
You just need to point them the token.

You will find it right at the bottom of the generated HTML, something like this:

<input name="IW_FormID_" type="hidden" value="namtCysYXuYT~1HeQ3a8a5J-h9C"></form>

A wrong value of this field will cause IW server to reject the request.

The value is per session and instance. Two instances of the form will always have different values regardless of the session, so one user can't impersonate another user even if they have the other user session ID
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)