While Security Testing of application through OWASP Zap tool Medium risk level alert 'Absence of Anti-csrf Token' is popping up for form tag in Kendo.all.min.js
Even I tried to update kendo version to 2022 (Latest) in Kendo.all.min.js
Are there any ways to resolve it ?
1 Answer, 1 is accepted
Hello Pranali,
Security at the application level, meaning the communication between client and server, is determined by the way different parts of the application are organized and used together. Using the @Html.AntiForgeryToken() in an ASP.NET Core application is a proper approach to apply additional security level to that part of the app. Refer to this knowledgebase article that demonstrates how to send Antiforgery token with Grid Requests in ASP.NET Core and ASP.NET MVC applications:
Send Anti-Forgery Token with Grid Requests in ASP.NET Core and ASP.NET MVC Projects
The DataSource component uses jQuery.ajax to make an HTTP request to the remote service. The values configured via transport configuration are passed to jQuery.ajax. The DataSource allows to also set custom headers, in case you desire to pass the RequestVerificationToken via the request headers, as suggested in Microsoft's documentation.
As I see a form tag in the screenshot, note that the Form component also supports hidden fields and will send the Antiforgery tokens, if configured as demonstrated in the documentation.
I hope the above information clarifies how to send Antiforgery tokens using Telerik UI for ASP.NET Core components.
Regards,
Aleksandar
Progress Telerik
Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.