This topic contains 3 replies, has 2 voices, and was last updated by 
- Posts
Hello Ernest,
How are you? I hope ok :).
I have a couple of queries please.
1. If you go to the homepage, then click any item on the left hand side menu, that will open the main menu. You will then see the search in the top right. If you search for ‘corporate’, the main page just called ‘corporate’ we would expect to be the first result but it doesn’t show? This page: https://collyerbristow.com/business/corporate/. Do you know why that is and how we can get it to show first?
2. Our client ran a security test and the form within ajaxsearchprosettings1_1 flagged up as below, do you know what that means and how can we fix it so it doesn’t flag as a security issue?
—
Description:
Cross-site request forgery (CSRF) vulnerabilities may arise when applications rely solely on HTTP cookies to identify the user that has
issued a particular request. Because browsers automatically add cookies to requests regardless of their origin, it may be possible for an
attacker to create a malicious web site that forges a cross-domain request to the vulnerable application.
Mitigation:The most effective way to protect against CSRF vulnerabilities is to include within relevant requests an additional token that is not
transmitted in a cookie: for example, a parameter in a hidden form field. This additional token should contain sufficient entropy, and be
generated using a cryptographic random number generator, such that it is not feasible for an attacker to determine or predict the value of
any token that was issued to another user. The token should be associated with the user’s session, and the application should validate that
the correct token is received before performing any action resulting from the request.—
I hope all that makes sense, thanks so much and I look forward to hearing from you :).
Many thanks and take care,
TonyaHi Tonya,
Thank you, I am doing just fine 🙂 I hope you are all right too.
1. Well it should indeed be shown first. A did a bit of digging, and there was actually an issue with the relevance calculation in the title query with the regular engine. It must have been there for a long time, as I don’t recall making a change in that section for while. Anyways, please try it now and let me know. I will then make this a permanent change in the upcoming release.
2. That message does not make sense unfortunately. I mean I understand what CSRF is, and what form it refers to, but I don’t get how these things are related in any way. If you have any more information (malicious inputs, methodology, replication etc..), please let me know and I will test and patch if required. If there are no other details, you can safely mark it as false positive.
To be honest with you, I am not a fan of these automated programmatical security tests, the amount of invalidated false positives reported are astonishing. I mean they are heuristically looking for simple programmatical errors or unintentional mistakes, and in almost all of the time report completely safe codes as malicious by detecting parts similar to other malicious codes – but of course cannot recognize more complex structures. For non-technical users these are still frigthening, when most of the time it is simply nothing. I have a feeling some some security plugins use these as a selling point for a subscription, I can only hope it is not the case.
Best,
Ernest Marcinko
If you like my products, don't forget to rate them on codecanyon :)
Hi Ernest,
Ahh great to hear you are doing well, as it’s been a crazy time hasn’t it with everything! But yes I am well too thank you, and I have kept busy which I feel so lucky about. I’m sure you are the same :).
Then onto your responses…
1. This is now absolutely perfect, thank you so much as always for coming back to me and resolving so quickly. It’s so much appreciated :).
2. Also, thank you so much for your detailed response here. I couldn’t agree with you more on these automated security tests! I’ve gone back with your extremely helpful information and I have a funny feeling we won’t hear anything further on this, but if we do, I will let you know.
Thank you so much again and take care,
TonyaYou are welcome Tonya 🙂
Let me know if you need anything.
Best,
Ernest Marcinko
If you like my products, don't forget to rate them on codecanyon :)
You must be logged in to reply to this topic.