Topic
2 replies Latest Post - ‏2012-11-18T22:03:14Z by dd4ff
SystemAdmin
SystemAdmin
403 Posts
ACCEPTED ANSWER

Pinned topic Is CSRF rule reasonable in Appscan Standard 8.6.0.0

‏2012-11-09T05:45:08Z |
My application uses a link to do the sign out action, like:
<a class="ibm-forward-link" href="signOut">Sign out</a&gt
In appscan 8.5, no security issue was found on this link in both standard adn ASE. But in appscan 8.6.0.0 standard, a CSRF issue is found on it.
In my opinion, CSRF issue should be only scanned on "Post" request, and running CSRF checking on "sign out" action is meaningless.
Because the application will be formally scanned under ASE 8.6.0.1 by review team later.
Is the CSRF rule more reasonable in ASE version? and then I can decide if I can ignore this issue. Thanks in advance!
David
Updated on 2012-11-18T22:03:14Z at 2012-11-18T22:03:14Z by dd4ff
  • warrenm1
    warrenm1
    224 Posts
    ACCEPTED ANSWER

    Re: Is CSRF rule reasonable in Appscan Standard 8.6.0.0

    ‏2012-11-16T00:39:18Z  in response to SystemAdmin
    Hi,

    This was already answered on a different forum, but in case anyone else here is wondering I'll paste it in:

    Hi

    Actually CSRF Checks are only done on POST requests by default. The difference is this option is configurable in Appscan Standard under Scan Configuration/Advanced Configuration/Tests: CSRF: Pattern of meaningful request

    The default value for the option is:

    ^POST

    Verify this has not been changed in the config. If it is the default and the test is done against a GET only operation open a pmr with support. On your second point

    "running CSRF checking on "sign out" action is meaningless.", I don't disagree but appscan has no way of knowing the functionality behind every request your application performs so there is a certian amount of user validation required here that the action performed by the request is meaningful or sensitive. In this scenario when it requires user analysis it is safer to report when the action itself is possible and let the user decide, than to ignore a potential issue. There is an example of this in the advisory "The severity of this vulnerability depends on the functionality of the affected application. For example, a CSRF attack on a search page is less severe than a CSRF attack on a money-transfer or profile-update page.". Hope this helps.

    Regards,
    Warren
    • dd4ff
      dd4ff
      5 Posts
      ACCEPTED ANSWER

      Re: Is CSRF rule reasonable in Appscan Standard 8.6.0.0

      ‏2012-11-18T22:03:14Z  in response to warrenm1
      Hi,

      "running CSRF checking on "sign out" action is meaningless."

      I don't know about meaningless. Situationaly, you may not particularly care - so the severity might be significantly lower for you.

      But there are probably some DoS attacks that could be executed via a CSRF on a log out page.

      Dan