While Security testing of application through OWASP Zap tool, Medium risk level issue as 'Absence of Anti-csrf Token' in kendo.all.min.js is popping up
Even I tried to upgrade kendo.all.min.js from 2021 to 2022 latest version
are there any ways to resolve it ?
Hi Pranali,
Security at the application level, meaning the communication between client and server, is determined by the way different parts of the application are organized and used together. Using the @Html.AntiForgeryToken() in an ASP.NET Core application is a proper approach to applying additional security levels to that part of the app. Refer to this knowledgebase article that demonstrates how to send Antiforgery token with Grid Requests in ASP.NET Core and ASP.NET MVC applications:
The DataSource component uses jQuery.ajax to make an HTTP request to the remote service. The values configured via transport configuration are passed to jQuery.ajax. The DataSource allows you to also set custom headers, in case you desire to pass the RequestVerificationToken via the request headers, as suggested in Microsoft's documentation.
As I see a form tag in the screenshot, note that the Form component also supports hidden fields and will send the Antiforgery tokens, if configured as demonstrated in the documentation.
I hope the above information clarifies how to send Antiforgery tokens using Telerik UI for ASP.NET Core components.
Kind Regards,
Anton Mironov
Hi Dion,
Thank you for the clarification.
I spoke with other members of the team and we will try our best in order to resolve the pointed behavior. Could you please share some further information:
Looking forward to hearing back from you.
Best Regards,
Anton Mironov
Hi Anton,
The content is exactly as in the screenshot from the original poster above. I have reproduced it below with a little more detail. You will see the the offending code in the display. Each of the 10 items shows a different part of the code when clicked. This example shows kendo.min.js has 10 different sections of code where this needs to be addressed. It is a pretty simple fix to add the Anti-CRSF token into the code.
To reproduce, simply run OWASP ZAP 2.11.1 with default settings by putting in the top URL of the website that has Kendo and click Attack. Selecting Alerts will show you the issue within a few seconds.
Hi Dion,
Thank you for the image and additional details provided.
I confirm that you are correct. The issue is caused by a form in the mobile.listview. By design, it should be rendered but I assume that you do not need it and the mobile listview at all.
In order to achieve the desired behavior, I would recommend creating a custom bundle without the mobile listview:
Give a try the approach above and let me know if further assistance is needed.
Kind Regards,
Anton Mironov
Thanks Anton, but don't you think that this should be correct by default in your kendo.all.min.js rather than requiring these extra steps?
I am sure many users have hit this issue. It is a very easy fix with just 1 or 2 lines per form. This is how we have addressed it, by editing kendo.all.min.js to include an anti-CRSF token.
Regards
Dion
Hi Anton,
Is there any updates on this? It would be great if this could be resolved for all users by making the necessary adjustments in kendo.all.min.js rather than having your users make the adjustment each time it is updated.
Thanks
Dion
Hi Dion,
We've logged it for fixing: https://feedback.telerik.com/kendo-jquery-ui/1572548-missing-anti-crsf-tokens-in-kendo-all-min-js
Regards,
Ivan Danchev
I see this has been rejected as not a valid issue. This is a very valid issue for your clients. Having to manually edit kendo-all-min.js every time there is an update is annoying and unnecessary. It would take the Kendo team very little time to correct this issue. Can you please explain why it was rejected? There is no explanation on the link.
Hi Dion,
I've added a comment to the Feedback Item, that explains why the issue was declined by the team.
Regards,
Ivan Danchev
We have the same situation with this file kendo.all.min.js in which the mentioned vulnerabilities are thrown at us, could you please tell me how you modify said file to solve these vulnerabilities. since I have been trying several ways to include the Anti-CRSF token in this file but they have not worked for me.
Regards,
Hi Wilson,
I noticed that you have the same issue as described by Dion earlier in the thread. Please note, that as mentioned by my colleague Ivan, there is a logged Feature Request in our Feedback Portal:
- https://feedback.telerik.com/kendo-jquery-ui/1599021-handle-anti-crsf-tokens-in-kendo-all-min-js
I would encourage you to cast a vote for the request, so it could gather more votes and be prioritized sooner.
Regards,
Neli