I recently accepted the application, and we recently made appscan, and I got the item marked as vulnerable. The correction task proposed in the report was to reject malicious requests. The report says appscan tried:
The following changes were applied to the original request: Set the HTTP header to ' http://bogus.referer.ibm.com '
I had this noted the first time we ran appscan, and put the code to check if urlreferer is provided, if so, make sure it matches the host in the url, otherwise kill the user session and redirect to login page. We ran appscan again and it was flagged again, I'm not sure how to handle this.
When I look at the report, it shows that it is placed in a dummy referrer, the server responded with the status 302, redirected, and then a login request was added, to which the server answered 202, giving it. Google Apps recipients say:
The same request was sent twice in different sessions, and the same response was received. This shows that none of the parameters is dynamic (session identifiers are sent only in cookies), and therefore the application is vulnerable to this problem.
But wouldn't the answer always be the same? If the verification fails, then 302 followed by 202 opens the redirect and login page, regardless of the user. Does anyone know how to handle this? I suppose I can put the user session id in the redirect URL, so appscan will see if it will be different, but I thought there should be a different way.
This is a .net 4 application. Users are tracked using the Session object, if that matters, form authentication has not been used.