Cross-Site Request Forgery (requires user verification)

Aug 14, 2009 at 10:47 AM

The below is the result of IBM's AppScan CSRF check?

Although the above issue was discussed but it was mentioned for asp.net. But I have achive the same result for Classic ASP.

[1 of 1] Cross-Site Request Forgery (requires user verification)
Severity: Medium
Test Type: Application
Vulnerable URL: http://somedir/somesite.asp
Remediation Tasks: Decline malicious requests

Request/Response headers....

Reasoning:
The same request was sent twice in different sessions and the same response was received.
This shows that none of the parameters are dynamic (session identifiers are sent only in
cookies) and therefore that the application is vulnerable to this issue.


Can anyone help me to get rid of the above or give me some solution that I can incorporate in the asp pages.

Coordinator
Aug 14, 2009 at 11:18 AM

I don't view this as a vulnerability so it's not urgent for me to fix.

Oh and thanks for using an email address which has an autoresponder which is now spamming codeplex because you told it to email you when the thread changed.

Aug 17, 2009 at 10:59 AM

Sorry about the auto responder. Hope to get some posive reply in the near future

Coordinator
Aug 17, 2009 at 11:22 AM

Your auto responder is STILL running and creating threads. Please edit your account and change it's email address to a personal email address rather than a generic drop box which auto replies.

And my reply still stands - I don't view this as a vulnerability and I am in rush to code something specifically to pass IBM's scanning tool.