General developer forum

Qualys scan result: missing CSRF tokens

Picture of Matteo Scaramuccia
Re: Qualys scan result: missing CSRF tokens
Core developersParticularly helpful MoodlersPlugin developers

Hi Istvan,
that's and interesting question: probing only the HTTP Status to check for supposed CSRF issues could lead to false positives, indeed.
They should even test the body of the response and not only the HTTP Headers, obviously in the domain of the webapp being scanned (which requires.

BTW, yes it could be IMHO a nice improvement if Moodle could manage CSRF errors still displaying them but with a 400 HTTP Status.


Average of ratings: Useful (1)