CSRF

The Enable CSRF option should only be selected if the site you are scanning includes Cross-Site Request Forgery (CSRF) tokens as it adds overhead to the process.

About CSRF

Cross-Site Request Forgery (CSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user’s browser that the website trusts. CSRF exploits piggyback on the trust that a site has in a user’s browser; using the fact that the user has already been authenticated by the site and the chain of trust is still open.

Example:

A user visits a bank, is authenticated, and a cookie is placed on the user’s machine. After the user completes the banking transaction, he or she switches to another browser tab and continues a conversation on an enthusiast Web site devoted to the user’s hobby. On the site, someone has posted a message that includes an HTML image element. The HTML image element includes a request to the user’s bank to extract all of the cash from the account and deposit it into another account. Because the user has a cookie on his or her device that has not expired yet, the transaction is honored and all of the money in the account is withdrawn.

CSRF exploits often involve sites that rely on trust in a user’s identity, often maintained through the use of a cookie. The user’s browser is then tricked into sending HTTP requests to the target site in hopes that a trust between the user’s browser and the target site still exists.

Using CRSF Tokens

To stop Cross-site request forgeries from occurring, common practice is to set up the server to generate requests that include a randomly generated parameter with a common name such as "CSRFToken". The token may be generated once per session or a new one generated for each request. If you have used CSRF tokens in your code and enabled CSRF in Fortify WebInspect, we will take this into consideration when crawling your site. Each time Fortify WebInspect launches an attack, it will request the form again to acquire a new CSRF token. This adds significantly to the time it take for Fortify WebInspect to complete a scan, so do not enable CSRF if you are not using CSRF tokens on your site.

Enabling CSRF Awareness in Fortify WebInspect

If your site uses CSRF tokens, you can enable CSRF awareness in Fortify WebInspect as follows:

  1. Select Default Scan Settings from the Edit menu.

    The Scan Settings window appears.

  2. From the Scan Settings column, select HTTP Parsing.

  3. Select the Enable CSRF box.