I was hoping to get some information on an issue that I ran into when running my website through Fortify. I have a feeling that it is a false positive, but need some air tight logic that can explain why these issues should not be a concern to the client. Or if it is not a false positive, how should I go about resolving the issue.
My web code returned two issues under the category of "Cross-Site Request Forgery". The files in question are Controls.js and SpellCheckService.js. Fortify says "Applications that use session cookies must include some piece of information in every form post that the back-end code can use to validate the provenance of the request. One way to do that is to include a random request."
I did some searching to see if this issue has been brought up before and what the resolution might be, but was unable to find anything that I could use to explain the issue.
I am not sure if this issue could be valuable to an attacker as a CSRF target and whether or not an appropriate mitigation techniques need to be in place. But like I said above I need to explain clearly why it does not have the potential to be exploited if that is in fact the case in this example. Thanks for your help and I look forward to you explanation.
Controls.js:
Line 2072:_65.open("POST",url,true);
SpellCheckService.js:
Line 50: this._xmlHttpRequest.open("POST",this.GetTimeStampedCallbackUrl(),true);