General developer forum

Qualys scan result: missing CSRF tokens

Picture of Istvan Denes
Qualys scan result: missing CSRF tokens

Dear All,

We got the result of the Qualys Security Scan and the report claims there are many missing CSRF tokens around the site.

I am confused because Moodle uses sesskey for this purpose.

As we looked after, it might be the problem that during incorrect sesskey the site might use response (HTTP 200) instead of (HTTP 400).

Is it correct?

If it is correct, is there any way to use response (400) in terms of incorrect sesskey? 

Or does it makes even sense to dealing with this?

What's your experience? I suppose I am not alone with this. 

We are using Totara Moodle 2.6 however we will replace it with Moodle 3.4.

Many thanks in advance


Average of ratings: Useful (1)
Picture of Matteo Scaramuccia
Re: Qualys scan result: missing CSRF tokens
Core developersParticularly helpful MoodlersPlugin developers

Hi Istvan,
that's and interesting question: probing only the HTTP Status to check for supposed CSRF issues could lead to false positives, indeed.
They should even test the body of the response and not only the HTTP Headers, obviously in the domain of the webapp being scanned (which requires.

BTW, yes it could be IMHO a nice improvement if Moodle could manage CSRF errors still displaying them but with a 400 HTTP Status.


Average of ratings: Useful (1)