Cross-Site Request Forgery (CSRF) Mitigations Present Erin Conry Scanning to see if Cross-Site Request Forgery (CSRF) Mitigations are present is part of the Assessing Broken Authentication and Access Control Security Tests used to evaluate the Web Application Security Risk Vector. Access control policies ensure that users cannot act outside of their intended permissions.Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a web application against which they are currently authenticated. CSRF attacks exploit the trust a web application has in an authenticated user’s browser session.Need to fix?Implement CSRF protection for all state-changing requests (e.g., POST, PUT, DELETE). Tokens should:Be unique per session or requestBe transmitted as hidden form fields (not in URLs)Include at least 128 bits of entropy to ensure unpredictabilityWhat will I see in the Portal?Issue: A CSRF token is either missing, not included as a hidden form field, or lacks sufficient entropy (less than 128 bits)Details: The web application is missing a Cross-Site Request Forgery (CSRF) mechanism with adequate configuration. This can lead to a CSRF attack that forces authenticated users to submit a request to the web application against which they are currently authenticated.Possible Grades: Neutral: Missing CSRF with adequate configuration is informational (Weight = N/A) Related articles Patching Cadence Risk Vector What is Endpoint Data? Bitsight Academy Web Application Security Assessment: Cross-Site Scripting TLS/SSL Finding Remediation & Remediation Verification Feedback 0 comments Please sign in to leave a comment.