debian-mirror-gitlab/doc/user/application_security/dast/checks/352.1.md
2022-07-23 20:15:48 +02:00

1.6 KiB

stage group info
Secure Dynamic Analysis To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments

Absence of anti-CSRF tokens

Description

The application failed to protect against Cross-Site Request Forgery (CSRF) by using secure application tokens or SameSite cookie directives.

The vulnerability can be exploited by an attacker creating a link or form on a third party site and tricking an authenticated victim to access them.

Remediation

Consider setting all session cookies to have the SameSite=Strict attribute. However, it should be noted that this may impact usability when sharing links across other mediums. It is recommended that a two cookie based approach is taken, as outlined in the Top level navigations section of the RFC.

If the application is using a common framework, there is a chance that Anti-CSRF protection is built in but needs to be enabled. Consult your application framework documentation for details.

If neither of the above are applicable, it is strongly recommended that a third party library is used. Implementing a secure Anti-CSRF system is a significant investment and difficult to do correctly.

Details

ID Aggregated CWE Type Risk
352.1 true 352 Passive Medium