This is a migrated thread and some comments may be shown as answers.

Absence of Anti-CSRF Tokens

1 Answer 193 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Afandi
Top achievements
Rank 1
Veteran
Afandi asked on 04 Mar 2020, 10:26 AM

Hi Telerik,

 

We did the security scanning for our website using Acunetix Security Scanner. We received summary that related to Kendo UI.

4. Absence of Anti-CSRF Tokens [Low]
Trigger by : Kendo All min.js , and those MVC form which do know have @Html.AntiForgeryToken()
Solution : For kendo,don’t have yet.
For MVC form which do not used form submit feature, change <form> to <div> html tag.
For MVC form which used form submit , add @Html.AntiForgeryToken(), MVC controller will auto received and validate this token when form being submit.

 

I was wondering if you could give me some advice about this.

 

 

1 Answer, 1 is accepted

Sort by
0
Accepted
Veselin Tsvetanov
Telerik team
answered on 06 Mar 2020, 06:49 AM

Hello Afandi,

security at the application level (in the discussed case, communication client/server) is determined by the way different parts of the application are organized and used together. Having that said, using the @Html.AntiForgeryToken() in an ASP.NET MVC application is a proper approach to apply additional security level to that part of the app. 

Concerning the Kendo UI scenario in question, I suppose you are referring to some king of client-side JavaScript application. Depending on the technology involved in the server implementation, you may approach the scenario in question in different ways. Here is general advice on the bove, as well as a specific example for Node.js applications:

https://stackoverflow.com/questions/3664044/anti-csrf-token-and-javascript

https://blog.insiderattack.net/developing-secure-node-js-applications-a-broad-guide-286afdec69ce

Regards,
Veselin Tsvetanov
Progress Telerik

Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Tags
General Discussions
Asked by
Afandi
Top achievements
Rank 1
Veteran
Answers by
Veselin Tsvetanov
Telerik team
Share this question
or