This project is read-only.

"...same request was sent twice in different sessions..."

Feb 25, 2009 at 10:25 AM
Hi,

    Can this module prevent/resolve IBM's AppScan CSRF check?

Issue description looks something like:

[1 of 1] Cross-Site Request Forgery (requires user verification)
Severity: Medium
Test Type: Application
Vulnerable URL: http://somedir/somesite.aspx
Remediation Tasks: Decline malicious requests

Request/Response headers....

Reasoning:
The same request was sent twice in different sessions and the same response was received.
This shows that none of the parameters are dynamic (session identifiers are sent only in
cookies) and therefore that the application is vulnerable to this issue.

Thanks.


Coordinator
Feb 25, 2009 at 10:51 AM
I have to admit I'm not sure why AppScan thinks this is an issue or a vulnerability. The token in the form is generated from the cookie, and in order to "exploit" this lack of expiry you'd have to fake the cookie as well as the token.

At the moment CSRF tokens are are deliberately persisted to avoid any need to session enabled at all. The cookie itself is temporary and is cleared when the browser window is closed.

Someone else did bring this up on my blog but never responded to the reply I left there. I guess we could, optionally, link the token to a particular session and check, in much the same way ViewStateUserKey does. It wouldn't be the default behaviour however.
Feb 25, 2009 at 11:18 AM
Thanks. I'll try to implement this module and leave Viewstate MAC on, with ViewStateUserKey = SessionID assigned at page init.
After another AppScan check I will receive "Security Report" and see if the AppScan still reports this vulnerability.