cross site request forgery

I found this security norms in asp.net web application cross site request forgery app scan report , please guide how i resolve this?
komaljadhavAsked:
Who is Participating?
 
btanExec ConsultantCommented:
Mainly two approaches to CSRF defence unless you are having other specific vulnerability message.

1) The simplest method relies on the browser referer header. But it does not protect against links to your site sent in an email.

2) The token solution relies on adding a parameter to the form that expires when the user logs out, or after a timeout period. As with the referer solution, the best place to check the token is somewhere affecting all the authenticated pages.

https://www.ibm.com/developerworks/library/se-appscan-detect-csrf-xsrf/index.html

In fact, ypu can have both such that once you have verified that the request appears to be a same origin request so far (1), you can do a second check as an additional precaution to really make sure. This second check (2) is using CSRF specific tokens created and verified by your application (or can rely on the presence of other HTTP headers depending on the level of rigor/security you want).

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
0
 
Dr. KlahnPrincipal Software EngineerCommented:
For an Apache server, you can add the X-XSS-PROTECTION tag to responses.

# Add the X-XSS-PROTECTION tag to all response headers
Header set X-XSS-Protection "1; mode=block"

Open in new window


This should alleviate the situation somewhat, and I suspect that the lack of this header is what was detected by your security scan.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

"The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP."

Interestingly, the above article found on the Mozilla site indicates that Firefox does not honor this header.
0
 
btanExec ConsultantCommented:
For author advice.
0
 
btanExec ConsultantCommented:
No further inputs from author
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.