How to resolve Absence of Anti-csrf Token alert in Kendo.all.min.js ?

0 Answers 398 Views
Security
Pranali
Top achievements
Rank 1
Pranali asked on 24 Mar 2022, 03:37 PM

While Security testing of application through OWASP Zap tool, Medium risk level issue as 'Absence of Anti-csrf Token' in kendo.all.min.js is popping up 

Even I tried to upgrade kendo.all.min.js from 2021 to 2022 latest version

are there any ways to resolve it ?

Anton Mironov
Telerik team
commented on 29 Mar 2022, 07:03 AM

Hi Pranali,

Security at the application level, meaning the communication between client and server, is determined by the way different parts of the application are organized and used together. Using the @Html.AntiForgeryToken() in an ASP.NET Core application is a proper approach to applying additional security levels to that part of the app. Refer to this knowledgebase article that demonstrates how to send Antiforgery token with Grid Requests in ASP.NET Core and ASP.NET MVC applications:

The DataSource component uses jQuery.ajax to make an HTTP request to the remote service. The values configured via transport configuration are passed to jQuery.ajax. The DataSource allows you to also set custom headers, in case you desire to pass the RequestVerificationToken via the request headers, as suggested in Microsoft's documentation.

As I see a form tag in the screenshot, note that the Form component also supports hidden fields and will send the Antiforgery tokens, if configured as demonstrated in the documentation.

I hope the above information clarifies how to send Antiforgery tokens using Telerik UI for ASP.NET Core components. 

Kind Regards,
Anton Mironov

Dion
Top achievements
Rank 1
commented on 30 May 2022, 01:21 AM

I think users understand how to use the anti-CRSF token. The question is more specific - how do you address the issue that the kendo.all.min.js script is triggering multiple alerts when it is scanned for security. We have to constantly explain the issue is a false positive to clients when we ship our software and they do a security scan. This issue happens in OWASP Zap, a very popular tool, and many other tools. This can be fixed by making adjustments to the Kendo JavaScript. It would be appreciated if Kendo themselves made the changes rather than forcing users to do this change every time that they do updates to the Kendo products.
Anton Mironov
Telerik team
commented on 02 Jun 2022, 12:00 PM

Hi Dion,

Thank you for the clarification.

I spoke with other members of the team and we will try our best in order to resolve the pointed behavior. Could you please share some further information:

  • What is the content of the false-positive errors you receive
  • More details on the scanning process that you are setting for the OWASP tool
  • Images, Videos, replication steps, etc.

Looking forward to hearing back from you.

Best Regards,
Anton Mironov

 

Dion
Top achievements
Rank 1
commented on 06 Jun 2022, 05:11 AM

Hi Anton,

The content is exactly as in the screenshot from the original poster above. I have reproduced it below with a little more detail. You will see the the offending code in the display. Each of the 10 items shows a different part of the code when clicked. This example shows kendo.min.js has 10 different sections of code where this needs to be addressed. It is a pretty simple fix to add the Anti-CRSF token into the code.

To reproduce, simply run OWASP ZAP 2.11.1 with default settings by putting in the top URL of the website that has Kendo and click Attack. Selecting Alerts will show you the issue within a few seconds.


Anton Mironov
Telerik team
commented on 08 Jun 2022, 12:03 PM

Hi Dion,

Thank you for the image and additional details provided.

I confirm that you are correct. The issue is caused by a form in the mobile.listview. By design, it should be rendered but I assume that you do not need it and the mobile listview at all.

In order to achieve the desired behavior, I would recommend creating a custom bundle without the mobile listview:

Give a try the approach above and let me know if further assistance is needed.


Kind Regards,
Anton Mironov

Dion
Top achievements
Rank 1
commented on 08 Jun 2022, 12:10 PM

Thanks Anton, but don't you think that this should be correct by default in your kendo.all.min.js rather than requiring these extra steps?

I am sure many users have hit this issue. It is a very easy fix with just 1 or 2 lines per form. This is how we have addressed it, by editing kendo.all.min.js to include an anti-CRSF token.

Regards

Dion

Dion
Top achievements
Rank 1
commented on 09 Jul 2022, 10:07 AM

Hi Anton,

Is there any updates on this? It would be great if this could be resolved for all users by making the necessary adjustments in kendo.all.min.js rather than having your users make the adjustment each time it is updated. 

Thanks

Dion

Ivan Danchev
Telerik team
commented on 14 Jul 2022, 06:32 AM

Dion
Top achievements
Rank 1
commented on 20 Aug 2022, 09:02 AM

Hi,

I see this has been rejected as not a valid issue. This is a very valid issue for your clients. Having to manually edit kendo-all-min.js every time there is an update is annoying and unnecessary. It would take the Kendo team very little time to correct this issue. Can you please explain why it was rejected? There is no explanation on the link.
Ivan Danchev
Telerik team
commented on 24 Aug 2022, 02:26 PM

Hi Dion,

I've added a comment to the Feedback Item, that explains why the issue was declined by the team. 

Regards,
Ivan Danchev

No answers yet. Maybe you can help?

Tags
Security
Asked by
Pranali
Top achievements
Rank 1
Share this question
or