Search code examples
ajaxxsscsrf

Avoiding XSS/XSRF attacks with static parameters

I have a some ajax requests that follow a basic pattern:

function(visitorId, sessionId, ...parameters more specific to method call..)

The visitor and session id are randomly generated server side. The visitor and session ids are always used to validate a real visitor with a live session in our software. One method with the signature:

function(visitorId, sessionId, issueId)

Returns the state (open, closed, waiting, etc) of the current customer's issue represented as an int. Today I got flagged by a security report from one of our customers stating that this particular method is vulnerable to cross site request forgery because

The test result seems to indicate a vulnerability because the same request was sent twice in different  sessions, and the same response was received. This shows that none of the parameters are dynamic  (session identifiers are sent only in cookies) and therefore that the application is vulnerable to CSRF.

A couple things to note:

  1. These methods are only available for POST requests, if that matters.

  2. A "session" in our software is not tied to a session for the browser, or IIS. Our software is a Windows Service, so IIS could go down, the browser could close, and we would retain that session until our internal session tracker determines its time to get rid of it.

3.The Ajax request are being sent to a WCF service that then relays the request to our Windows sevice.

This has me scratching my head because the majority of our methods follow this pattern of static parameters, but they also tend to return unique data. Which makes me wonder if I just return the state along with some random data that I could potentially pass this security test, but that just doesnt seem right. What is the best way to approach this?

Solution

  • The best is to reply to the report, explaining how your sessions work and that as a result this "detection" is a false positive.

    A significant number of "vulnerability reports" from some "consultants" are repackaged results from a misconfigured or a confused scanner such as HP AppScan. You don't need to change your code to "comply" where there is no real issue.

    Just mention "false positive" and see what they say :)