Resolve Frontend Cross-Site Request Forgery Findings (CRASM-730)

[hawkishpolicy]

🐛 Summary

Cross-Site Request Forgery (Medium severity) CWE-352: Cross-Site Request Forgery (CSRF)

In the majority of today's web applications, clients are required to submit forms which can __ perform sensitive operations.

An example of such a form being used would be when an administrator wishes to create a new user for the application.

In the simplest version of the form, the administrator would fill-in: Name, Password, Role (level of access)

Continuing with this example, Cross Site Request Forgery (CSRF) would occur when the administrator is tricked into clicking on a link, which if logged into the application, would automatically submit the form without any further interaction.

Cyber-criminals will look for sites where sensitive functions are performed in this manner and then craft malicious requests that will be used against clients via a social engineering attack.

There are 3 things that are required for a CSRF attack to occur:

1. The form must perform some sort of sensitive action.
2. The victim (the administrator the example above) must have an active session.
3. Most importantly, all parameter values must be known or guessable.

The tool discovered that all parameters within the form were known or predictable and therefore the form could be vulnerable to CSRF.

Manual verification may be required to check whether the submission will then perform a sensitive action, such as reset a password, modify user profiles, post content on a forum, etc.

Guidance:

Based on the risk (determined by manual verification) of whether the form submission performs a sensitive action, the addition of anti-CSRF tokens may be required.

These tokens can be configured in such a way that each session generates a new anti-CSRF token or such that each individual request requires a new token.

It is important that the server track and maintain the status of each token (in order to reject requests accompanied by invalid ones) and therefore prevent cyber-criminals from knowing, guessing or reusing them. For examples of framework specific remediation options, please refer to the references.

References:

• CGI Security - CSRF
• Wikipedia - CSRF
• [OWASP - CSRF](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF%29)

STE ID	Location	Code
1280561	xfd_develop/frontend/scripts/api.js:10	10 export const app = express();
1280604	xfd_develop/frontend/scripts/docs.js:8	8 export const app = express();
1280529	xfd_develop/frontend/src/components/ReadySetCyber/RSCQuestion.tsx:176	176 target="_blank"
1280494	xfd_develop/frontend/src/components/ReadySetCyber/RSCRegisterForm.tsx:45	45 body: JSON.stringify(body)
1280605	xfd_develop/frontend/src/components/Subnav.tsx:30	30 target="_blank"
1280750	xfd_develop/frontend/src/components/Footer/Footer.tsx:43	Unknown macro: {{43 target="_blank"} }
1280649	xfd_develop/frontend/src/components/Register/RegisterForm.tsx:52	52 body: JSON.stringify(body)

 

Acceptance Criteria:

Resolve Checkmarx findings for the category Resolve Cross-Site Request Forgery that are in the frontend.

Any helpful log output or screenshots

Paste the results here:

Add any screenshots of the problem here.