I have an application written using Laravel 5.1 framework. Recently, one of my clients ran an Acunetix security scan on the application and found HTML form with no apparent CSRF protection on my login page.
However, the login form DOES have CSRF protection. The name of the element with the CSRF token is "_token". The scan result says "Discovered by: Crawler".
So my questions are:
- Why is acunetix showing this result?
- Is "_token" not a recognized name for a CSRF token element? Should I add another hidden element into the form with the same value using a more recognizable name?
- What does it mean "Discovered by: Crawler"? Does this mean the scan only checks the form HTML and nothing else?
Below is the snippet of the HTML form blade template:
@section('content')
<form id="loginForm" class="form-signin" role="form" method="POST" action="">
<h2 class="form-signin-heading"><img src="/images/J10_Logo_330x194.jpg" alt=""></h2>
<input type="hidden" name="_token" value="">
<label for="username" class=""></label>
<input type="username" class="form-control" name="username" value="">
<label for="inputPassword" class=""></label>
<input type="password" class="form-control" name="password" autocomplete="off">
<div class="forgot-password"><input type="checkbox" name="remember"> </div>
<div class="forgot-password"><a href="#"></a></div>
<button type="submit" class="btn btn-lg btn-primary btn-block"></button>
@if (count($errors) > 0)
<p class="text-danger">
@foreach($errors->all() as $error)
<br />
@endforeach
</p>
@endif
</form>
@endsection
You may notice that in the above snippet, the "_token" element value is blank. This is intentional since I am basically trying to "circumvent" acunetix's detection by only setting its value using javascript since everything I have tried so far does not seem to work.
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire