ajax - Avoiding XSS/XSRF attacks with static parameters -


i have ajax requests follow basic pattern:

function(visitorid, sessionid, ...parameters more specific method call..)

the visitor , session id randomly generated server side. visitor , session ids used validate real visitor live session in our software. 1 method signature:

function(visitorid, sessionid, issueid)

returns state (open, closed, waiting, etc) of current customer's issue represented int. today got flagged security report 1 of our customers stating particular method vulnerable cross site request forgery because

the test result seems to indicate a vulnerability because the same request was sent twice in different  sessions, and the same response was received. this shows that none of the parameters are dynamic  (session identifiers are sent only in cookies) and therefore that the application is vulnerable to csrf.

a couple things note:

  1. these methods available post requests, if matters.

  2. a "session" in our software not tied session browser, or iis. our software windows service, iis go down, browser close, , retain session until our internal session tracker determines time rid of it.

3.the ajax request being sent wcf service relays request our windows sevice.

this has me scratching head because majority of our methods follow pattern of static parameters, tend return unique data. makes me wonder if return state along random data potentially pass security test, doesnt seem right. best way approach this?

the best reply report, explaining how sessions work , result "detection" false positive.

a significant number of "vulnerability reports" "consultants" repackaged results misconfigured or confused scanner such hp appscan. don't need change code "comply" there no real issue.

just mention "false positive" , see :)


Comments

Post a Comment

Popular posts from this blog

basic authentication with http post params android -

i doing basic authentication passing username , password , using basicnamevaluepair sending post params response service. my method: public stringbuilder callservicehttppost(string username, string password, string type) { // create new httpclient , post header httpclient httpclient = new defaulthttpclient(); httppost httppost = new httppost(webservice + type); httpresponse response = null; stringbuilder total = new stringbuilder(); try { url url = new url(webservice + type); /*string base64encodedcredentials = base64.encodetostring((username + ":" + password).getbytes(), base64.url_safe | base64.no_wrap);*/ string base64encodedcredentials = "basic " + base64.encodetostring( (username + ":" + password).getbytes(), base64.no_wrap); httppost.setheader("auth...
Read more

vb.net - Virtual Keyboard commands -

i wondering difference between virtual these keyboard commands is: keyeventf_extendedkey , keyeventf_keyup is. everywhere have looked gives me description based off integers , not want know each of them does. you've tagged question vb.net, these have nothing @ vb.net. they're constants defined in windows header files, use win32 api functions. as far difference, can't tell looking @ values. individual values not particularly important, that's why named identifiers used. what's important used , documentation functions tells mean. the first one, keyeventf_extendedkey , used keybdinput structure (which used along e.g. sendinput function) pass information synthesized keyboard input. if flag used, means scan code should interpreted extended key. technically, means scan code preceded prefix byte value 224 (&he0 in hexadecimal notation). the second one, keyeventf_keyup , 1 of flags available use structure. means key being released (going up)...
Read more

css - Firefox for ubuntu renders wrong colors -

Image
i've got following problem: i'm developing website, while testing around i've noticed firefox , chromium display css bar in different colors. when switched between several machine come conclusion firefox ubuntu problem. on other devices i've tested website. it's fine. the differences between chrome , firefox rendering: firefox: chromium: note: firefox ubuntu problem. does knows why , came solution? https://bugzilla.mozilla.org/show_bug.cgi?id=655637 bug 629312 - firefox displays wrong colors on image (only linux) open about:config , rechange gfx.color_management.mode 2 0.
Read more