APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Absence of Anti-CSRF Tokens

Mic BrownApr 17 2024

Hi, a vulnerability scan was done using OWASP ZAP on my oracle apex application and it shows the following medium alert.
No Anti-CSRF Tokens: No Anti-CSRF tokens were found in an HTML submission form. No Anti-CSRF token.
GET method
Evidence: <form role="none" action="wwv_flow.accept p_context=100:9999:8791051967498" method="post" name="wwv_flow" id="wwvFlowForm" data-oj-binding-provider="none" novalidate autocomplete="off">
Other Info: No Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken,
csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token,
_csrf, _csrfSecret, __csrf_magic, CSRF, _token, _csrf_token] was found in the
following HTML forms: [Form 1: "P9999_PASS" "P9999_USER"
"pContext" "pFlowId" "pFlowStepId" "pInstance" "pPageFormRegionChecksums"
"pPageItemsProtected" "pPageItemsRowVersion" "pPageSubmissionId"
"pReloadOnSubmit" "pRequest" "pSalt" ].

Any recommendations to make to solve this?

Added on Apr 17 2024

#apex-discussions, #oracle-apex, #security

0 comments

767 views