+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: HTML Form Without Anti-CSRF Token Detected (/thread-3329.html)
HTML Form Without Anti-CSRF Token Detected - pgnair - 06-23-2023
Hi Team,
Got the below vulnerability in this quarter audit. In the servercontroller security option , the checkformid is already True. the version am using isĀ 15.2.62.
Please advise how to fix this
Thanks
Pramod
HTML Form Without Anti-CSRF Token Detected
Cross-Site Request Forgery (CSRF/XSRF) is a vulnerability where an attacker tricks the victim into making a request victim did not make. So the attacker abuses the trust a web application has with a victim's browser. Mostly the HTML forms submitted have CSRF tokens embedded in them while submitting the request. If a form is without this preventive measure enabled then it's very much prone to CSRF attacks and other dependent attacks. We are checking for the existence of the known list of CSRF tokens if none of the tokens are found the target will be flagged.
RE: HTML Form Without Anti-CSRF Token Detected - Alexandre Machado - 06-23-2023
You just need to point them the token.
You will find it right at the bottom of the generated HTML, something like this:
<input name="IW_FormID_" type="hidden" value="namtCysYXuYT~1HeQ3a8a5J-h9C"></form>
A wrong value of this field will cause IW server to reject the request.
The value is per session and instance. Two instances of the form will always have different values regardless of the session, so one user can't impersonate another user even if they have the other user session ID