HawkScan Test Info for Absence of Anti-CSRF Tokens

Absence of Anti-CSRF Tokens

Reference

Plugin Id: 10202

Remediation

Most frameworks now include some kind of Anti-CSRF library to implement in code. Include them and turn them on. Typically frameworks will include a nonce value for form submissions that are generated and checked by server-side code before performing actions, also known as CSRF tokens.

About

The StackHawk scanner is looking for anti-CSRF token material or values in the forms on an application. Absence of them will raise an alert.

Risks

Cross-Site Request Forgery (CSRF) allows an attacker to trick an authenticated end user into making requests against your application by making requests to your application from other applications. This can lead to unauthorized actions being performed on behalf of the user, such as changing account settings, making purchases, or deleting data. By including Anti-CSRF tokens in your application, you can protect against CSRF attacks by ensuring that requests are only accepted if they include a valid token that is generated and verified by the server-side code.