tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/4161-doesnt-seem-to-perform-csrf-or-xss-checks-on-ajax-requestsArachni: Discussion 2017-02-05T11:14:33Ztag:support.arachni-scanner.com,2012-07-01:Comment/413383732016-12-01T11:21:28Z2016-12-01T11:21:28ZDoesn't seem to perform CSRF or XSS checks on AJAX requests<div><p>Testing for CSRF requires a form HTML node in order to identify
nonces, AJAX requests are just HTTP calls and thus lack a lot of
context.</p>
<p>About the inputs not being fuzzed, can you try the nightlies
please?<br>
If that doesn't work then I'm afraid I'll need access to the webapp
to debug the issue.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/413383732016-12-01T11:38:39Z2016-12-01T11:38:42ZDoesn't seem to perform CSRF or XSS checks on AJAX requests<div><p>Hi,</p>
<p>Yeah, I thought it may just check for forms, as I thought it was
maybe missing it because it wasn't set up as a form, so I set it up
as a form, and it reported a CSRF vulnerability, but it would still
have done so even if we did add a CSRF token to the AJAX call, so
didn't really help much. (We have another app that dynamically adds
CSRF tokens when forms are submitted [to ensure the token is up-to
date], and that tends to get incorrectly reported as having CSRF
vulnerabilities).</p>
<p>Is checking for CSRF protection on AJAX calls something that is
likely to be added, or is it just to complex to scan for? If a POST
call can be made, for example, with the same parameters/body each
time, and no special headers required by the server, could it flag
this vulnerable to CSRF attacks?</p>
<p>In terms of the inputs being fuzzed, I was using the latest
nightly (as the standard download wasn't working in OSX 10.12 (due
to an issue finding libraries which I found was already logged).
I'll give it another try with extra logging on the server to make
extra sure, and will then see if I can make something available if
I'm still sure it's not doing anything.</p></div>Luketag:support.arachni-scanner.com,2012-07-01:Comment/413383732016-12-01T11:43:53Z2016-12-01T11:43:53ZDoesn't seem to perform CSRF or XSS checks on AJAX requests<div><p>Detecting anti-CSRF tokens in AJAX calls would have the same
accuracy as guessing and would require a lot of work to only
marginally increase the accuracy, I don't think it's worth it.<br>
At least when you have a form node you can make an educated guess,
but it's still just a guess and will miss cases when tokens are
added dynamically.</p>
<p>I'll be awaiting your feedback regarding the other issue.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/413383732016-12-01T16:04:37Z2016-12-01T16:04:38ZDoesn't seem to perform CSRF or XSS checks on AJAX requests<div><p>OK, this is weird, now I've added some logging on the server
side, it seems it's not calling the API at all when running checks,
and only does so when I scan with <code>--checks -</code>.</p>
<p>I don't have an externally accessible version that you can test
on, but will see if I can create a simplified example to replicate
the issue. Might not have time this week, though.</p></div>Luketag:support.arachni-scanner.com,2012-07-01:Comment/413383732016-12-06T12:49:37Z2016-12-06T12:49:37ZDoesn't seem to perform CSRF or XSS checks on AJAX requests<div><p>Thanks, let me know when you set it up.</p>
<p>Cheers</p></div>Tasos Laskos