F
Filament6mo ago
阿lam

CSRF issue on passing ZAP Security Test

I go some medium Risk Level after User scan the website. I am using the "Filament Form" to do some filtering select options. Got following description in the report No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf. CSRF attacks are effective in a number of situations, including: The victim has an active session on the target site. The victim is authenticated via HTTP auth on the target site. The victim is on the same local network as the target site. CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy. some items like <form wire:submit="submitForm"> No known Anti-CSRF token [anticsrf, CSRFToken, RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret, csrf_magic, CSRF, _token, _csrf_token] is there any idea to solve this?
2 Replies
DrByte
DrByte6mo ago
Does this only occur when the Forms package is used separate from the main Filament package (which includes Panels, Forms, Tables, etc)? Filament is based on Livewire and Laravel, and Livewire uses CSRF tokens natively for everything, and Laravel's default middleware stack blocks any form submissions that don't contain a valid CSRF token ... so what you're reporting is quite unexpected ... unless you've removed the Laravel middleware that handles CSRF tokens.
阿lam
阿lam6mo ago
yes : Forms package is used separate from the main Filament package
Want results from more Discord servers?
Add your server
More Posts
Use Notification for error 500 in productionHello, With error handling, how do you manage to display a notification instead of the classical bigHi is it possible to add an action to a Grouped set of rows (so the button is on the group row)?Hi is it possible to add an action to a Grouped set of rows (so the button is on the group row)?How to get the value of an attribute in a repeater with relation?I have two models Year and Periods, they are related from one to many. But with the Get $get attribuHow to click multiple times on the screen.I have 1 form + 1 action button of that form (called button A). Below the form there is a list, eachTable tabs in filament 2is there a way to implement table tabs in filament version 2?Modal does not work in a Custom PageHello, I am building a custom page but nothing happens when I click on the column action : ```php /Column 'name' in where clause is ambiguousI have quite an extensive admin-panel with lots of columns and custom filters/queries. This works fUsing many settings group in one page with Tabs ?Do you know if is it possible to have in each tab of a form, a specific group defined with #spatie-sFileUpload on edit pageI have a FileUpload field on a form. How can i add file uploaded when i edit this form. I try this V2 -> V3 Plugin - custom view not picking up stylingIn v2 my custom view rendered fine - picking up the TW classes In v3 it's not rendering correctly.