Missing CsrfToken in 404 pages

Ryan Nguyen asked on January 24, 2019 08:29

I found that some special links does not have __CMSCsrfToken value It also happening in this forum. Ex: https://devnet.kentico.com/imagegen.ashx

Recent Answers

Eric Dugre answered on January 24, 2019 15:32

CSRF protection is only really necessary when the page POSTS some data (though, GET requests can still cause CSRF). Why would the 404 page you mentioned (https://devnet.kentico.com/imagegen.ashx) be vulnerable to CSRF?

0 votesVote for this answer Mark as a Correct answer

Ryan Nguyen answered on January 25, 2019 02:34

Because in our site, we have a form allow user search, so we need CSRF for any pages, I found that just some special link does not have this. This is some links I scanned: 

/admin/home.aspx
/rest/sharelinks/1.0/link
/ScriptResource.axd
/admin/admin_login.aspx
/admin/login.aspx
0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.