Regarding CSRF

DVS Developers asked on August 21, 2015 11:55

Hi,

Recently our Acunetix software reported CSRF vulnerability in couple of pages which are developed using Kentico portal engine (Pages contain online forms). we tried to fix the issue with the help of available doc's

https://docs.kentico.com/pages/viewpage.action?pageId=57442787

http://www.kentico.com/downloads/Kentico-CMS_Security-White-Paper.pdf

In Web.Config we have this configuration to fix CSRF

<machineKey validationKey="***********" decryptionKey="***************" validation="SHA1" decryption="AES" /><pages buffer="true" enableSessionState="true" enableViewState="true" enableViewStateMac="true" viewStateEncryptionMode="Always" validateRequest="false" clientIDMode="AutoID">

But unfortunately the suggested fix in doc's did not help us to fix the CSRF issue. So please suggest us what to do?

Thanks....

Recent Answers


Roman Koníček answered on August 21, 2015 12:43

Hi,

I would also recommend to check the following article on DevNet regarding the CSRF - http://devnet.kentico.com/articles/protection-against-cross-site-request-forgery-%28csrf-xsrf%29

The key information is that the protection is applied to all pages which inherit from CMSPage or AbstractCMSPage. Could you please clarify that this is true in your case? Also could you please double check that you are not using the following key in your web.config file < add key="CMSUseViewStateUserKey" value="false" /> ?

Thanks,

Best regards, Roman Konicek

0 votesVote for this answer Mark as a Correct answer

DVS Developers answered on August 21, 2015 15:30

Hi,

We appreciate kentico taking CSRF seriously and introducing tokens in kentico version 9. The pages are designed using portal engine so we are thinking those pages are already inherited from CMSPage or AbstractCMSPage. The CMSUseViewStateUserKey does not exist in the web.config so we added it and set the Value to true and scanned it through Acunetix it is still reporting about CSRF. Any suggestions?

Thanks......

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on August 21, 2015 18:48

What are the warnings you're receiving about CSRF on your Acunetix report?

0 votesVote for this answer Mark as a Correct answer

DVS Developers answered on August 24, 2015 09:56

Warning message: HTML form without CSRF protection

The form was designed using kentico app online form which is a simple form contains a Email text box and a submit button for subscription to newsletters.

Note: A validation rule already placed on Email text box saying only Emails are allowed to submit.

0 votesVote for this answer Mark as a Correct answer

Juraj Komlosi answered on August 26, 2015 10:43

Hi,

in that case you can mark it as a false positive. Web application scanners look for some keywords in request/response to figure out if the website is vulnerable to CSRF or not. Typically it is CSRF hidden field, CSRF request header or CSRF cookie. If nothing is found the scanner marks it as CSRF vulnerable. Since we use ViewState as a CSRF protection, Acunetix is not able to verify if the website is vulnerable or not.

This false positive reported by Acunetix should be removed in Kentico 9.

Best regards.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.