Cross-Site Request Forgery Token Validation Bypass

medium Web App Scanning Plugin ID 113900

Language:

Synopsis

Cross-Site Request Forgery Token Validation Bypass

Description

Cross-Site Request Forgery (CSRF) vulnerabilities remediation usually rely on the usage of CSRF tokens which are sensitive and unpredictable values shared between the web application sever and the clients. When performing sensitive or privileged actions (like submitting some forms for example), CSRF tokens are sent in the HTTP client request and validated by the server. Some web applications may fail to properly validate the CSRF tokens, leaving them still vulnerable to Cross-Site Request Forgery (CSRF) attacks.

Solution

Ensure that the CSRF tokens used by the web application are properly validated and that the CSRF tokens value cannot be predicted. Most web frameworks provide either built-in solutions or have plugins that can be used to easily add these tokens to any form. Check the references for possible solutions provided for the most known frameworks.

See Also

http://en.wikipedia.org/wiki/Cross-site_request_forgery

http://www.cgisecurity.com/csrf-faq.html

https://codex.wordpress.org/WordPress_Nonces

https://docs.djangoproject.com/en/1.11/ref/csrf/

https://docs.joomla.org/How_to_add_CSRF_anti-spoofing_to_forms

https://symfony.com/doc/current/form/csrf_protection.html

https://www.drupal.org/docs/7/security/writing-secure-code/create-forms-in-a-safe-way-to-avoid-cross-site-request-forgeries

https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/csrf_paper.pdf

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

https://www.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005)

Plugin Details

Severity: Medium

ID: 113900

Type: remote

Family: Cross Site Request Forgery

Published: 5/31/2023

Updated: 2/2/2024

Scan Template: full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS Score Source: Tenable

Reference Information

CWE: 352

OWASP: 2010-A5, 2013-A8, 2021-A1

WASC: Cross-Site Request Forgery

CAPEC: 111, 462, 467, 62

DISA STIG: APSC-DV-002500

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.12.6.1, 27001-A.14.2.5

NIST: sp800_53-SI-10(5)

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-4.2.2

PCI-DSS: 3.2-6.5.9