Home → Problems →

Doesn't seem to perform CSRF or XSS checks on AJAX requests

• Edit

Luke

Nov 29, 2016 @ 07:25 PM

I'm not sure if this is something within Arachni's feature set that is just failing on our app for some reason, or if it's just not supported at all. I'll try and do my best to describe the issue.

We have a single page web app which uses Angular on the front end. There are only a couple of places that accept user input, and in all cases the user input is taken from input text fields which are bound to objects in the ajax scope, results are then submitted to then submitted to the server by clicking a button which then calls some javascript which in turns makes an ajax request to the server.

We can see that some of these requests are getting submitted to the server, but we can't see any sign of them being submitted with different parameters to try and inject content etc. We also know that CSRF protection is absent on these ajax calls, and had expected this to be picked up by the scan, but it isn't.

Also, some of the forms don't seem to be being submitted at all, and we suspect that this is because they javascript does not submit them if required fields are not filled in, and our guess is that these fields are not being filled before the button is "clicked" (the logs suggest it is being "clicked" at least).

1. Support Staff 1 Posted by Tasos Laskos on Dec 01, 2016 @ 11:21 AM

   

   Testing for CSRF requires a form HTML node in order to identify nonces, AJAX requests are just HTTP calls and thus lack a lot of context.

   About the inputs not being fuzzed, can you try the nightlies please?
   If that doesn't work then I'm afraid I'll need access to the webapp to debug the issue.

   • Edit

2. 2 Posted by Luke on Dec 01, 2016 @ 11:38 AM

   

   Hi,

   Yeah, I thought it may just check for forms, as I thought it was maybe missing it because it wasn't set up as a form, so I set it up as a form, and it reported a CSRF vulnerability, but it would still have done so even if we did add a CSRF token to the AJAX call, so didn't really help much. (We have another app that dynamically adds CSRF tokens when forms are submitted [to ensure the token is up-to date], and that tends to get incorrectly reported as having CSRF vulnerabilities).

   Is checking for CSRF protection on AJAX calls something that is likely to be added, or is it just to complex to scan for? If a POST call can be made, for example, with the same parameters/body each time, and no special headers required by the server, could it flag this vulnerable to CSRF attacks?

   In terms of the inputs being fuzzed, I was using the latest nightly (as the standard download wasn't working in OSX 10.12 (due to an issue finding libraries which I found was already logged). I'll give it another try with extra logging on the server to make extra sure, and will then see if I can make something available if I'm still sure it's not doing anything.

   • Edit

3. Support Staff 3 Posted by Tasos Laskos on Dec 01, 2016 @ 11:43 AM

   

   Detecting anti-CSRF tokens in AJAX calls would have the same accuracy as guessing and would require a lot of work to only marginally increase the accuracy, I don't think it's worth it.
   At least when you have a form node you can make an educated guess, but it's still just a guess and will miss cases when tokens are added dynamically.

   I'll be awaiting your feedback regarding the other issue.

   Cheers

   • Edit

4. 4 Posted by Luke on Dec 01, 2016 @ 04:04 PM

   

   OK, this is weird, now I've added some logging on the server side, it seems it's not calling the API at all when running checks, and only does so when I scan with --checks -.

   I don't have an externally accessible version that you can test on, but will see if I can create a simplified example to replicate the issue. Might not have time this week, though.

   • Edit

5. Support Staff 5 Posted by Tasos Laskos on Dec 06, 2016 @ 12:49 PM

   

   Thanks, let me know when you set it up.

   Cheers

   • Edit

6. Tasos Laskos closed this discussion on Feb 05, 2017 @ 11:14 AM.