Skip to content

Absence of anti-CSRF tokens

Description

The application failed to protect against Cross-Site Request Forgery (CSRF) by using secure application tokens or SameSite cookie directives.

The vulnerability can be exploited by an attacker creating a link or form on a third party site and tricking an authenticated victim to access them.

Remediation

Consider setting all session cookies to have the SameSite=Strict attribute. However, it should be noted that this may impact usability when sharing links across other mediums. It is recommended that a two cookie based approach is taken, as outlined in the Top level navigations section of the RFC.

If the application is using a common framework, there is a chance that Anti-CSRF protection is built in but needs to be enabled. Consult your application framework documentation for details.

If neither of the above are applicable, it is strongly recommended that a third party library is used. Implementing a secure Anti-CSRF system is a significant investment and difficult to do correctly.

Details

ID Aggregated CWE Type Risk
352.1 true 352 Passive Medium

Links