Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4502

Disabling CSRF protections is security-sensitive

    Details

    • Message:
      Make sure disabling CSRF protection is safe here.|Make sure not using CSRF protection is safe here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java, Python
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-352
    • OWASP:
      A6
    • SANS Top 25:
      Insecure Interaction Between Components
    • FindSecBugs:
      SPRING_CSRF_PROTECTION_DISABLED

      Description

      CSRF vulnerabilities occur when attackers can trick a user to perform sensitive authenticated operations on a web application without his consent.

      <body onload="document.forms[0].submit()">
      <form>
      <form action="http://mybank.com/account/transfer_money" method="POST">
          <input type="hidden" name="accountNo" value="attacker_account_123456"/>
          <input type="hidden" name="amount" value="10000"/>
          <input type="submit" value="Steal money"/>
      </form>
      

      If an user visits the attacker's website which contains the above malicious code, his bank account will be debited without his consent and notice.

      Ask Yourself Whether

      • There exist sensitive operations on the web application that can be performed when the user is authenticated.
      • The state / resources of the web application could be modified by doing HTTP POST or HTTP DELETE requests for example.
      • The web application is not only a public API designed to be requested by external websites.

      You are at risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • Protection against CSRF attacks is strongly recommended:
        • to be activated by default for all unsafe HTTP methods.
        • implemented, for example, with an unguessable CSRF token
      • Of course all sensitive operations should not be performed with safe HTTP methods like GET which are designed to be used only for information retrieval.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5687 Language-Specification Active Unassigned
          2.
          JavaScript RSPEC-5688 Language-Specification Active Unassigned
          3.
          Python RSPEC-5792 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: