Hi
I’m working on an app for a company, which is part of a big Enterprise in Switzerland. They also have a Bug Bounty program, which makes it very likely, that the app (at least the public part, which includes forms etc), will be tested for security issues quite often. That’s why I tested the app with OWASP ZAP to see if something critical pops up (not sure how accurate this scan is…). There were quite a few minor warnings, that there are no Anti-CSRF Tokens found on the forms. This seems like a potential security issue… Are there some specific measures in place against cross-site request forgery attacks?
Also, if the bug bounty team finds issues, what’s the best way to forward them to you guys for resolving?
Thank you
Joel