I was hoping to get some information on an issue that I ran into when running my website through Fortify. I have a feeling that it is a false positive, but need some air tight logic that can explain why these issues should not be a concern to the client. Or if it is not a false positive, how should I go about resolving the issue.
My web code returned two issues under the category of "Cross-Site Request Forgery". The files in question are Controls.js and SpellCheckService.js. Fortify says "Applications that use session cookies must include some piece of information in every form post that the back-end code can use to validate the provenance of the request. One way to do that is to include a random request."
I did some searching to see if this issue has been brought up before and what the resolution might be, but was unable to find anything that I could use to explain the issue.
I am not sure if this issue could be valuable to an attacker as a CSRF target and whether or not an appropriate mitigation techniques need to be in place. But like I said above I need to explain clearly why it does not have the potential to be exploited if that is in fact the case in this example. Thanks for your help and I look forward to you explanation.
Controls.js:
Line 2072:_65.open("POST",url,true);
SpellCheckService.js:
Line 50: this._xmlHttpRequest.open("POST",this.GetTimeStampedCallbackUrl(),true);
1 Answer, 1 is accepted
The specified pieces of code, displayed in your post, do not appear to be part of the current version of the RadControls for ASP.NET AJAX. I have attached the SpellCheckService.js for reference. Could you, please, specify the version of the controls that you are using in your application? Furthermore we will need more information from the security check so that we can review if that is indeed a real issue or a false alert, like scenario of usage, controls that are causing the security warning, etc.
Greetings,
Niko
the Telerik team