Burp Suite User Forum

Login to post

Get support on why Cross site forgery is showing when it is blocked

Jenny | Last updated: Feb 22, 2021 06:46PM UTC

Our internal sites use Fortinet WAF to block CSRF, yet per your scan they show it. Can you please work with us to review this.

Hannah, PortSwigger Agent | Last updated: Feb 23, 2021 05:11PM UTC

Hi Unfortunately, we can't provide specific assistance with fixing individual issues in people's apps or dissecting/explaining scan reports. You can get more information on why Burp thinks it's finding that vulnerability by looking at the request and response details for the issue and attempting to replicate its findings. You can find out more information on CSRF vulnerabilities here: https://portswigger.net/web-security/csrf If you think that this is a false positive, you can mark it as such. In Professional, you would do this by right-clicking on the issue and changing the severity. Burp Suite Enterprise has the following documentation: - https://portswigger.net/burp/documentation/enterprise/working/scan-results/false-positives - https://portswigger.net/burp/documentation/enterprise/trial-setup/scan-results

You need to Log in to post a reply. Or register here, for free.