Scanning to see if Cross-Site Request Forgery (CSRF) Mitigations are present is part of the Assessing Broken Authentication and Access Control Security Tests used to evaluate the Web Application Security Risk Vector. Access control policies ensure that users cannot act outside of their intended permissions.
Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a web application against which they are currently authenticated. CSRF attacks exploit the trust a web application has in an authenticated user’s browser session.
Need to fix?
Implement CSRF protection for all state-changing requests (e.g., POST, PUT, DELETE). Tokens should:
- Be unique per session or request
- Be transmitted as hidden form fields (not in URLs)
- Include at least 128 bits of entropy to ensure unpredictability
What will I see in the Portal?
Issue: A CSRF token is either missing, not included as a hidden form field, or lacks sufficient entropy (less than 128 bits)
Details: The web application is missing a Cross-Site Request Forgery (CSRF) mechanism with adequate configuration. This can lead to a CSRF attack that forces authenticated users to submit a request to the web application against which they are currently authenticated.
Possible Grades: Neutral: Missing CSRF with adequate configuration is informational (Weight = N/A)
Feedback
0 comments
Please sign in to leave a comment.