Corgea LogoCorgea Security Hub

CWE-352: Cross-Site Request Forgery (CSRF)

Learn about CWE-352 (Cross-Site Request Forgery (CSRF)), its security impact, exploitation methods, and prevention guidelines.

What is Cross-Site Request Forgery (CSRF)?

• Overview: Cross-Site Request Forgery (CSRF) is a vulnerability where attackers trick a user into performing actions on a web application without their knowledge, by exploiting the application's inability to verify if requests come from the legitimate user.

• Exploitation Methods:

  • Attackers exploit this vulnerability by creating a malicious link or script that sends a legitimate request to the web application as the logged-in user.
  • Common attack patterns include embedding attack links in phishing emails or malicious websites, which automatically execute actions using the user's session.

• Security Impact:

  • Direct consequences include unauthorized actions being performed, such as changing user settings or initiating transactions.
  • Potential cascading effects involve broader account compromise or data manipulation if the attacker gains additional access.
  • Business impact can involve financial loss, reputational damage, and loss of customer trust.

• Prevention Guidelines:

  • Specific code-level fixes include implementing anti-CSRF tokens in forms and state-changing requests to ensure authenticity.
  • Security best practices involve requiring re-authentication for sensitive actions and using SameSite cookies to limit cross-origin requests.
  • Recommended tools and frameworks include using web security frameworks that provide built-in CSRF protection, such as OWASP CSRFGuard or CSRF protection features in popular web frameworks like Django, Rails, or Spring Security.

Corgea can automatically detect and fix Cross-Site Request Forgery (CSRF) in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Medium

Affected Languages: Not Language-Specific

Affected Technologies: Web Server

Vulnerable Code Example

Python Example

from flask import Flask, request, jsonify

app = Flask(__name__)

@app.route('/transfer', methods=['POST'])
def transfer_money():
    # Vulnerable code: CSRF attack possible as there's no verification of the source of the request
    amount = request.form['amount']
    to_account = request.form['to_account']
    # Process the transfer...
    return jsonify({"status": "success", "amount": amount, "to_account": to_account})

Explanation

In this vulnerable example, the /transfer endpoint processes POST requests to transfer money without verifying the source of the request. This absence of verification allows an attacker to craft a malicious request from another site, causing an unwanted action on behalf of an authenticated user, leading to a CSRF attack.

How to fix Cross-Site Request Forgery (CSRF)?

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious website or application causes a user's web browser to perform an unwanted action on a trusted site where the user is authenticated. The key to preventing CSRF attacks is to ensure that the request is coming from a legitimate source.

Fix Approach:

  1. CSRF Tokens: Implement CSRF tokens for state-changing requests. A CSRF token is a unique, secret, and unpredictable value that is generated by the server and sent to the client. The client must send this token back to the server with every state-changing request.
  2. SameSite Cookies: Set the SameSite attribute on cookies to Strict or Lax, which prevents cookies from being sent in cross-site requests.
  3. Custom Headers: Utilize custom headers to validate requests, ensuring they originate from a trusted source.

Fixed Code Example

from flask import Flask, request, jsonify
from flask_wtf.csrf import CSRFProtect

app = Flask(__name__)
csrf = CSRFProtect(app)  # Enable CSRF protection

app.config['SECRET_KEY'] = 'your_secret_key_here'  # Required for CSRF token generation

@app.route('/transfer', methods=['POST'])
def transfer_money():
    # CSRF token is automatically checked before processing the request by Flask-WTF
    amount = request.form['amount']
    to_account = request.form['to_account']
    # Process the transfer...
    return jsonify({"status": "success", "amount": amount, "to_account": to_account})

Key Changes:

  • CSRF Protection: Integrated Flask-WTF's CSRFProtect to automatically handle CSRF tokens in POST requests.
  • Secret Key: Configured a secret key for signing the CSRF tokens, which is essential for the CSRF protection mechanism to function properly.

By implementing CSRF tokens, the application ensures that state-changing requests are verified for authenticity, mitigating the risk of CSRF attacks. This approach ensures that the server can confirm that requests are intentionally made by the user and not forged by an attacker.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-352: Cross-Site Request Forgery (CSRF) and get remediation guidance

Start for free and no credit card needed.