HTML form without CSRF protection

Description
  • <div class="bb-coolbox"><span class="bb-dark">This alert requires manual confirmation</span></div><br/> Cross-Site Request Forgery (CSRF, or XSRF) is a vulnerability wherein an attacker tricks a victim into making a request the victim did not intend to make. Therefore, with CSRF, an attacker abuses the trust a web application has with a victim's browser.<br/><br/> Acunetix found an HTML form with no apparent anti-CSRF protection implemented. Consult the 'Attack details' section for more information about the affected HTML form.
Remediation
  • Verify if this form requires anti-CSRF protection and implement CSRF countermeasures if necessary.<br/><br/> The recommended and the most widely used technique for preventing CSRF attacks is know as an anti-CSRF token, also sometimes referred to as a synchronizer token. The characteristics of a well designed anti-CSRF system involve the following attributes.<br/><br/> <ul> <li>The anti-CSRF token should be unique for each user session</li> <li>The session should automatically expire after a suitable amount of time</li> <li>The anti-CSRF token should be a cryptographically random value of significant length</li> <li>The anti-CSRF token should be cryptographically secure, that is, generated by a strong Pseudo-Random Number Generator (PRNG) algorithm</li> <li>The anti-CSRF token is added as a hidden field for forms, or within URLs (only necessary if GET requests cause state changes, that is, GET requests are not idempotent)</li> <li>The server should reject the requested action if the anti-CSRF token fails validation</li> </ul><br/> When a user submits a form or makes some other authenticated request that requires a Cookie, the anti-CSRF token should be included in the request. Then, the web application will then verify the existence and correctness of this token before processing the request. If the token is missing or incorrect, the request can be rejected.
References