My application uses a link to do the sign out action, like:
<a class="ibm-forward-link" href="signOut">Sign out</a>
In appscan 8.5, no security issue was found on this link in both standard adn ASE. But in appscan 188.8.131.52 standard, a CSRF issue is found on it.
In my opinion, CSRF issue should be only scanned on "Post" request, and running CSRF checking on "sign out" action is meaningless.
Because the application will be formally scanned under ASE 184.108.40.206 by review team later.
Is the CSRF rule more reasonable in ASE version? and then I can decide if I can ignore this issue. Thanks in advance!
This topic has been locked.
2 replies Latest Post - 2012-11-18T22:03:14Z by dd4ff
Pinned topic Is CSRF rule reasonable in Appscan Standard 220.127.116.11
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-11-18T22:03:14Z at 2012-11-18T22:03:14Z by dd4ff
warrenm1 270001F39C224 PostsACCEPTED ANSWER
Re: Is CSRF rule reasonable in Appscan Standard 8.6.0.02012-11-16T00:39:18Z in response to SystemAdminHi,
This was already answered on a different forum, but in case anyone else here is wondering I'll paste it in:
Actually CSRF Checks are only done on POST requests by default. The difference is this option is configurable in Appscan Standard under Scan Configuration/Advanced Configuration/Tests: CSRF: Pattern of meaningful request
The default value for the option is:
Verify this has not been changed in the config. If it is the default and the test is done against a GET only operation open a pmr with support. On your second point
"running CSRF checking on "sign out" action is meaningless.", I don't disagree but appscan has no way of knowing the functionality behind every request your application performs so there is a certian amount of user validation required here that the action performed by the request is meaningful or sensitive. In this scenario when it requires user analysis it is safer to report when the action itself is possible and let the user decide, than to ignore a potential issue. There is an example of this in the advisory "The severity of this vulnerability depends on the functionality of the affected application. For example, a CSRF attack on a search page is less severe than a CSRF attack on a money-transfer or profile-update page.". Hope this helps.
dd4ff 060001HP655 PostsACCEPTED ANSWER
Re: Is CSRF rule reasonable in Appscan Standard 8.6.0.02012-11-18T22:03:14Z in response to warrenm1Hi,
"running CSRF checking on "sign out" action is meaningless."
I don't know about meaningless. Situationaly, you may not particularly care - so the severity might be significantly lower for you.
But there are probably some DoS attacks that could be executed via a CSRF on a log out page.