Declined
Last Updated: 22 Jun 2023 15:27 by n/a
Dion
Created on: 14 Jul 2022 06:29
Category: Kendo UI for jQuery
Type: Bug Report
0
Missing Anti-CRSF tokens in kendo.all.min.js

Bug report

Missing Anti-CRSF tokens trigger security alerts when testing for security compliance with OWASP ZAP.

Reproduction of the problem

https://www.telerik.com/forums/how-to-resolve-absence-of-anti-csrf-token-alert-in-kendo-all-min-js-1559042

Current behavior

Expected/desired behavior

Environment

  • Kendo UI version: 2022.2.621
  • jQuery version: x.y
  • Browser: [all]
6 comments
n/a
Posted on: 22 Jun 2023 15:27
Hi Dion,

We have the same situation with this file kendo.all.min.js in which the mentioned vulnerabilities are thrown at us, could you please tell me how you modify said file to solve these vulnerabilities. since I have been trying several ways to include the Anti-CRSF token in this file but they have not worked for me.

Regards,
ADMIN
Ivan Danchev
Posted on: 24 Feb 2023 13:52

Hi Dion,

I agree that it will be more convenient, if we have the respective logic in the library and this way there will be no need to modify the library manually. I've talked to the team and they agreed that instead of this remaining as a declined Bug Report, we can have it as a feature request. This will allow us to measure the interest of the community and gather more feedback for a possible internal implementation for handling the Anti-CRSF tokens: https://feedback.telerik.com/kendo-jquery-ui/1599021-handle-anti-crsf-tokens-in-kendo-all-min-js

I've added a vote on your behalf. Any additional input on scenarios that you expect to be handled is welcome, as well as details about the environment/-s you are using the library in. You can provide such info with a comment to the Feature Request item linked above.

Thank you for your involvement in this subject.

Regards,
Ivan Danchev
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Dion
Posted on: 20 Feb 2023 09:49

Hi Ivan,

I think you are missing my point here. EVERY time we update your software, we have to modify kendo-all-min.js and put in a placeholder token to avoid the false alerts coming from ZAP and other security tools. EVERY customer has to do this.

We too have implemented anti-CRSF elsewhere and pass on all our forms. Only your JavaScript library alerts.

It would take the Telerik team very little to put the same anti-CRSF placeholders in place so that the ZAP and other other alerts don't trigger and your customers don't have to update your libraries manually every time. It does not require a full implementation of anti-CRSF tokens. Just a placeholder.

By forcing your customers to manually edit the file with every update, you risk introducing new problems, bugs, corruption and increasing your own support issues. All could be avoided with a simple placeholder.

Regards

 

Dion

 

ADMIN
Ivan Danchev
Posted on: 20 Feb 2023 09:39

Hello Dion,

Currently, since we don't have a dedicated logic implemented for the Anti-CRSF tokens, it is up to the developer to implement the respective logic that handles them according to their specific use case. Unfortunately, the community hasn't shown much interest in this, neither in the feedback portal, nor in the ticketing system, so we don't have any immediate plans to make changes to the source code related to that topic.

If you need guidance and assistance with modifying the source code, I can put you into contact with our Professional Services team. They specialize in areas that are outside the scope of the Support Service, such as source code customizations or integrations of our products with third party software. Please be advised that this is a payed service. If you are interested, let me know and I'll make sure my colleagues get in touch with you.

Regards,
Ivan Danchev
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Dion
Posted on: 14 Feb 2023 05:21

So to confirm - the expected behaviour is to trigger an alert in all pen-test tools and waste your customers time having to explain to people that this is a false positive and it is handled elsewhere by their own implementation.

Alternatively, to avoid this alert, your customers have to manually edit the file each time adding a placeholder token so that the alert is not triggered.

A very simple couple of lines can remove this issue and save all your customers a lot of hassle and time.

ADMIN
Ivan Danchev
Posted on: 24 Aug 2022 14:25

Hello Dion,

After further investigation, the dev team decided that it is not viable to add Anti-CRSF tokens to the kendo.all.min.js, because Kendo UI is used in different environments, not only in .NET (e.g., MVC, Core). Thus adding tokens and covering all potential requests and environments, would require significant changes to the source code. In other words the lack of tokens is not due to an oversight on our part, instead they haven't been intended to be included in the source code.

Regards,
Ivan Danchev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.