Absence of Anti-CSRF Tokens

2 posts, 0 answers
  1. Afandi
    Afandi avatar
    13 posts
    Member since:
    Aug 2014

    Posted 04 Mar Link to this post

    Hi Telerik,

     

    We did the security scanning for our website using Acunetix Security Scanner. We received summary that related to Kendo UI.

    4. Absence of Anti-CSRF Tokens [Low]
    Trigger by : Kendo All min.js , and those MVC form which do know have @Html.AntiForgeryToken()
    Solution : For kendo,don’t have yet.
    For MVC form which do not used form submit feature, change <form> to <div> html tag.
    For MVC form which used form submit , add @Html.AntiForgeryToken(), MVC controller will auto received and validate this token when form being submit.

     

    I was wondering if you could give me some advice about this.

     

     

  2. Veselin Tsvetanov
    Admin
    Veselin Tsvetanov avatar
    1126 posts

    Posted 06 Mar Link to this post

    Hello Afandi,

    security at the application level (in the discussed case, communication client/server) is determined by the way different parts of the application are organized and used together. Having that said, using the @Html.AntiForgeryToken() in an ASP.NET MVC application is a proper approach to apply additional security level to that part of the app. 

    Concerning the Kendo UI scenario in question, I suppose you are referring to some king of client-side JavaScript application. Depending on the technology involved in the server implementation, you may approach the scenario in question in different ways. Here is general advice on the bove, as well as a specific example for Node.js applications:

    https://stackoverflow.com/questions/3664044/anti-csrf-token-and-javascript

    https://blog.insiderattack.net/developing-secure-node-js-applications-a-broad-guide-286afdec69ce

    Regards,
    Veselin Tsvetanov
    Progress Telerik

    Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
Back to Top