Home > Mobile >  Correct method to pass Zap Absence of Anti-CSRF Tokens test for newsletter signup form
Correct method to pass Zap Absence of Anti-CSRF Tokens test for newsletter signup form

Time:01-04

I have a public facing form that, I believe, does not need CSRF protection. It is just a newsletter signup form. But when we run Zap Pen Test on it we get the following error:

No Anti-CSRF tokens were found in a HTML submission form.

Evidence:
<form data-cookie-name="newsletter" data-marketo-id="1031" id="newsletterForm"  ng-submit="submit(newsletterForm)" ng-controller="NewsletterSignupController" name="newsletterForm">

This newsletter uses Angular as a controller and we are doing a POST in the controller to send the email to the server.

Questions:

  1. Do I really need to implement CSRF tokens on a public facing Form? If not, how do I get the Pen Test to pass without this error?

CodePudding user response:

  • Well you can mark it false positive (in the GUI or via the API).
  • You can setup an Alert Filter to set it False Posituve.
  • You can set a rule configuration to ignore the form in question.

Whether you need to prevent CSRF on the form is a business owner question. Are there processing concerns? Are there concerns around complaints or reputational damage?

Page link:https//www.codepudding.com/Mobile/661588.html

Prev:how to rewrite composable that get data from API with async await
Next:Need to sort NaN in Python to the end of a list
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding