cross site request forgery

I found this security norms in asp.net web application cross site request forgery app scan report , please guide how i resolve this?
komaljadhavAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Mainly two approaches to CSRF defence unless you are having other specific vulnerability message.

1) The simplest method relies on the browser referer header. But it does not protect against links to your site sent in an email.

2) The token solution relies on adding a parameter to the form that expires when the user logs out, or after a timeout period. As with the referer solution, the best place to check the token is somewhere affecting all the authenticated pages.

https://www.ibm.com/developerworks/library/se-appscan-detect-csrf-xsrf/index.html

In fact, ypu can have both such that once you have verified that the request appears to be a same origin request so far (1), you can do a second check as an additional precaution to really make sure. This second check (2) is using CSRF specific tokens created and verified by your application (or can rely on the presence of other HTTP headers depending on the level of rigor/security you want).

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dr. KlahnPrincipal Software EngineerCommented:
For an Apache server, you can add the X-XSS-PROTECTION tag to responses.

# Add the X-XSS-PROTECTION tag to all response headers
Header set X-XSS-Protection "1; mode=block"

Open in new window


This should alleviate the situation somewhat, and I suspect that the lack of this header is what was detected by your security scan.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

"The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP."

Interestingly, the above article found on the Mozilla site indicates that Firefox does not honor this header.
0
btanExec ConsultantCommented:
For author advice.
0
btanExec ConsultantCommented:
No further inputs from author
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.