Meaning of "HTML form with no apparent XSRF protection"

[GoogleCodeExporter]

These were all for the URL http://x.x.x.x:4000/foo/search?q=1.

I guess the high-level question is: what is this referring to, a form on the 
page specified or the search form that led to this URL? I'm guessing the former 
(the search action is just a GET).

In the responses, I couldn't find any POST forms that didn't have a hidden 
authentication token field. The token doesn't change, though - is that what's 
being complained about? It's constant for the session. We're (deliberately) not 
dynamically generating tokens that e.g. time-bound the form validity, if that's 
what's implicitly being suggested.

Original issue reported on code.google.com by yaa...@gmail.com on 22 Oct 2010 at 11:58

[GoogleCodeExporter]

Please don't file questions as bugs; feel free to ping me at lcamtuf@gmail.com, 
instead.

All HTML forms with no XSRF protection are listed in the report, and the 
specified URL is the location at which that form appeared in HTML source. It's 
up to you to review this list and decide which ones are of any concern, and 
which ones aren't, because this can't be settled programatically. 

Token detection is done heuristically - so if the form in question does have 
such a token, this may be a false positive; in this case, it would be good to 
see the format of this token, and the framework that generated it.

Original comment by lcam...@gmail.com on 23 Oct 2010 at 12:45

• Changed state: Done