SV-222603r508029_rule
V-222603
SRG-APP-000251
APSC-DV-002500
CAT II
10
Configure the application to use unpredictable challenge tokens and check the HTTP referrer to ensure the request was issued from the site itself. Implement mitigating controls as required such as using web reputation services.
Review the application documentation, the code review reports and the vulnerability assessment scan results from the automated vulnerability assessment tools.
Verify scan configuration settings include web-based application settings which include XSS tests.
Review the scan results for CSRF vulnerabilities.
If the scan results indicate aspects of the application are vulnerable to CSRF, request subsequent scan data that shows the CSRF vulnerabilities previously detected have been fixed.
If results that show compliance are not available, request proof of any steps that have been taken to mitigate the risk.
Mitigation steps include using web reputation filters to identify sources of exploits delivered via CSRF, web application firewalls that validate cookie and the referrer field in the HTTP headers, or product specific IPS filters that identify and intercept known CSRF vulnerabilities in web-based applications.
If scan results are not available ask the application administrator to provide evidence that shows the application is designed to address CSRF security issues. There are various methods for mitigating the risk, including using a challenge token that is tied to the users session.
If application scan results show an unremediated CSRF vulnerability, or if no scan results are available, or no mitigations have been enabled, this is a finding.
V-222603
False
APSC-DV-002500
Review the application documentation, the code review reports and the vulnerability assessment scan results from the automated vulnerability assessment tools.
Verify scan configuration settings include web-based application settings which include XSS tests.
Review the scan results for CSRF vulnerabilities.
If the scan results indicate aspects of the application are vulnerable to CSRF, request subsequent scan data that shows the CSRF vulnerabilities previously detected have been fixed.
If results that show compliance are not available, request proof of any steps that have been taken to mitigate the risk.
Mitigation steps include using web reputation filters to identify sources of exploits delivered via CSRF, web application firewalls that validate cookie and the referrer field in the HTTP headers, or product specific IPS filters that identify and intercept known CSRF vulnerabilities in web-based applications.
If scan results are not available ask the application administrator to provide evidence that shows the application is designed to address CSRF security issues. There are various methods for mitigating the risk, including using a challenge token that is tied to the users session.
If application scan results show an unremediated CSRF vulnerability, or if no scan results are available, or no mitigations have been enabled, this is a finding.
M
4093