Telerik + OWASP + Cross-Site Request Forgery

2 posts, 0 answers
  1. Kyle
    Kyle avatar
    7 posts
    Member since:
    Aug 2012

    Posted 01 Aug 2012 Link to this post

    I was hoping to get some information on an issue that I ran into when running my website through Fortify. I have a feeling that it is a false positive, but need some air tight logic that can explain why these issues should not be a concern to the client. Or if it is not a false positive, how should I go about resolving the issue.

     

    My web code returned two issues under the category of "Cross-Site Request Forgery". The files in question are Controls.js and SpellCheckService.js. Fortify says "Applications that use session cookies must include some piece of information in every form post that the back-end code can use to validate the provenance of the request. One way to do that is to include a random request."

     

    I did some searching to see if this issue has been brought up before and what the resolution might be, but was unable to find anything that I could use to explain the issue.

     

    I am not sure if this issue could be valuable to an attacker as a CSRF target and whether or not an appropriate mitigation techniques need to be in place. But like I said above I need to explain clearly why it does not have the potential to be exploited if that is in fact the case in this example. Thanks for your help and I look forward to you explanation.

     

    Controls.js:

    Line 2072:_65.open("POST",url,true);

     

    SpellCheckService.js:

    Line 50: this._xmlHttpRequest.open("POST",this.GetTimeStampedCallbackUrl(),true);

  2. Niko
    Admin
    Niko avatar
    404 posts

    Posted 03 Aug 2012 Link to this post

    Hello Kyle,

     The specified pieces of code, displayed in your post, do not appear to be part of the current version of the RadControls for ASP.NET AJAX. I have attached the SpellCheckService.js for reference. Could you, please, specify the version of the controls that you are using in your application? Furthermore we will need more information from the security check so that we can review if that is indeed a real issue or a false alert, like scenario of usage, controls that are causing the security warning, etc.

    Greetings,
    Niko
    the Telerik team
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
Back to Top