Cross Site Request Forgery (CSRF) throughout the Application

[petmongrels]

Cross site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in. A successful CSRF attack can be devastating for both the business and user. A successful CSRF attack can be devastating for both the business and user. It can result in damaged client relationships, unauthorized fund transfers, changed passwords and data theft—including stolen session cookies The “Invalid request due to CSRF token error.” message means that your browser couldn't create a secure cookie, or couldn't access that cookie to authorize your login. This can be caused by ad- or script-blocking plugins or extensions, but also by the browser itself if it's not allowed to set cookies. "1. We visited the URL and edited the Patient Information with typing TEST CSRF in all fields.

2. We then captured the request in Burp Suite and Generated the CSRF POC under Engagement tools.
3. Then we saved it into the notepad as html and opened it in another browser.
   4. We noticed that our request for saving the patient information was successfully executed." Proof of Concepts is attached along with this Tracker. "https://stackoverflow.com/questions/4303635/cross-site-request-forgery-prevention-using-struts-token

All the places where the form is submitted to change the data, this check can be implemented."

Estimate: 2

[petmongrels]

Fixed via apache hence applies to both the systems