UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure the application does not have CSRF vulnerabilities.


Overview

Finding ID Version Rule ID IA Controls Severity
V-21500 APP3585 SV-23685r1_rule DCSQ-1 Medium
Description
Cross Site Request Forgery (CSRF) is an attack where an end user is previously authenticated to a specific website and the user through social engineering (e.g., e-mail or chat) launches a hyperlink which executes unwanted actions on a website. A CSRF attack may execute any web site request on behalf of the user leading to compromise of the user’s data.
STIG Date
Application Security and Development Checklist 2014-04-03

Details

Check Text ( C-25722r1_chk )
Ask the application representative for code review results from the entire application. This can be provided as results from an automated code review tool.

If the results are provided from a manual code review, the application representative will need to demonstrate how CSRF vulnerabilities are identified during code reviews.

1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify CSRF, it is a finding.


Fix Text (F-22999r1_fix)
Add a nonce to web forms every time the URL is requested. The nonce is in addition to the standard session identifier.