Ask Questions and Find Answers

Please tell us which Liferay version you are using.
Also, it usually helps if there are more details, e.g. which actions where flagged exactly by your test?

Hey Christoph,
Thank you for your answer.
We are using Liferay 7.1.2.
The security scan discovered that all parameters within the form were known or predictable and therefore the form could be vulnerable to CSRF.

Yes, but which one? The normal search portlet?
I am not sure, how this should be a security problem. It might be, but it isn't clear to me so far if it is indeed one.
CSRF Tokens should protect forms that update data. An attacker might craft a url and when you click it as an admin, it can do something evil. e.g. it could create a user, add permissions or something like that. So, addUser, updatePermissions, ... always should be protected using CSRF tokens.

But for actions, that can't do anything bad, a CSRF token is not necessary. e.g. a call to getCountries always returns the same results and it really doesn't matter if I trick an admin into executing it.
So, it is important to know, which calls are susceptible in your opinion. The search calls?