Qualys scan result: missing CSRF tokens

Qualys scan result: missing CSRF tokens

by Istvan Denes -
Number of replies: 1

Dear All,

We got the result of the Qualys Security Scan and the report claims there are many missing CSRF tokens around the site.

I am confused because Moodle uses sesskey for this purpose.

As we looked after, it might be the problem that during incorrect sesskey the site might use response (HTTP 200) instead of (HTTP 400).

https://community.qualys.com/thread/15185

Is it correct?

If it is correct, is there any way to use response (400) in terms of incorrect sesskey? 

Or does it makes even sense to dealing with this?

What's your experience? I suppose I am not alone with this. 

We are using Totara Moodle 2.6 however we will replace it with Moodle 3.4.


Many thanks in advance

Istvan

Average of ratings: Useful (1)
In reply to Istvan Denes

Re: Qualys scan result: missing CSRF tokens

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hi Istvan,
that's and interesting question: probing only the HTTP Status to check for supposed CSRF issues could lead to false positives, indeed.
They should even test the body of the response and not only the HTTP Headers, obviously in the domain of the webapp being scanned (which requires.

BTW, yes it could be IMHO a nice improvement if Moodle could manage CSRF errors still displaying them but with a 400 HTTP Status.

HTH,
Matteo

Average of ratings: Useful (1)