While Security testing of application through OWASP Zap tool, Medium risk level issue as 'Absence of Anti-csrf Token' in kendo.all.min.js is popping up
Even I tried to upgrade kendo.all.min.js from 2021 to 2022 latest version
are there any ways to resolve it ?
Hi Pranali,Security at the application level, meaning the communication between client and server, is determined by the way different parts of the application are organized and used together. Using the @Html.AntiForgeryToken() in an ASP.NET Core application is a proper approach to applying additional security levels to that part of the app. Refer to this knowledgebase article that demonstrates how to send Antiforgery token with Grid Requests in ASP.NET Core and ASP.NET MVC applications:
The DataSource component uses jQuery.ajax to make an HTTP request to the remote service. The values configured via transport configuration are passed to jQuery.ajax. The DataSource allows you to also set custom headers, in case you desire to pass the RequestVerificationToken via the request headers, as suggested in Microsoft's documentation.
As I see a form tag in the screenshot, note that the Form component also supports hidden fields and will send the Antiforgery tokens, if configured as demonstrated in the documentation.I hope the above information clarifies how to send Antiforgery tokens using Telerik UI for ASP.NET Core components.
Kind Regards,Anton Mironov
Hi Dion,Thank you for the clarification.I spoke with other members of the team and we will try our best in order to resolve the pointed behavior. Could you please share some further information:
Looking forward to hearing back from you.
Best Regards,Anton Mironov
The content is exactly as in the screenshot from the original poster above. I have reproduced it below with a little more detail. You will see the the offending code in the display. Each of the 10 items shows a different part of the code when clicked. This example shows kendo.min.js has 10 different sections of code where this needs to be addressed. It is a pretty simple fix to add the Anti-CRSF token into the code.
To reproduce, simply run OWASP ZAP 2.11.1 with default settings by putting in the top URL of the website that has Kendo and click Attack. Selecting Alerts will show you the issue within a few seconds.
Hi Dion,Thank you for the image and additional details provided.
I confirm that you are correct. The issue is caused by a form in the mobile.listview. By design, it should be rendered but I assume that you do not need it and the mobile listview at all.
In order to achieve the desired behavior, I would recommend creating a custom bundle without the mobile listview:
Give a try the approach above and let me know if further assistance is needed.
Thanks Anton, but don't you think that this should be correct by default in your kendo.all.min.js rather than requiring these extra steps?
I am sure many users have hit this issue. It is a very easy fix with just 1 or 2 lines per form. This is how we have addressed it, by editing kendo.all.min.js to include an anti-CRSF token.RegardsDion
Hi Anton,Is there any updates on this? It would be great if this could be resolved for all users by making the necessary adjustments in kendo.all.min.js rather than having your users make the adjustment each time it is updated. Thanks
Hi Dion,We've logged it for fixing: https://feedback.telerik.com/kendo-jquery-ui/1572548-missing-anti-crsf-tokens-in-kendo-all-min-js
I've added a comment to the Feedback Item, that explains why the issue was declined by the team.