Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No anti-CSRF token for some URIs #691

Open
reclans opened this issue Oct 9, 2020 · 0 comments
Open

No anti-CSRF token for some URIs #691

reclans opened this issue Oct 9, 2020 · 0 comments
Assignees
@branks42
Milestone
Sprint 41

Comments

@reclans
Copy link
Collaborator

reclans commented Oct 9, 2020

ZAP has observed that no anti-CSRF (Cross Site Request Forgery) token is issued by the target system for some URIs. This is a significant risk, since it means an end-user could unknowingly have their account carry out activities on behalf of an attacker. The use of anti-CSRF tokens, e.g., such as those provided by Web frameworks like Django, is an effective way to prevent this.

ZAP scan report https://baldin.crc.nd.edu/CRC-Restricted/ScanResults/PresQT/2020/PresQT_QA_ZAP_Scan.html

CRC best practices https://sites.google.com/nd.edu/cbp/home

May need to be on campus or vpn to access links.
@reclans reclans added this to the Sprint 41 milestone Oct 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@branks42 branks42

Labels
None yet
Projects
None yet
Milestone
Sprint 41
Development

No branches or pull requests
2 participants
@branks42 @reclans