Property
Language
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

The WebSocket server does not validate the Origin header during the handshake, allowing connections from any domain. This omission makes it possible for malicious sites to establish unauthorized WebSocket connections to your server.

Impact

Without Origin checks, attackers can exploit Cross-Site Request Forgery (CSRF) to perform actions on behalf of authenticated users or leak sensitive data via unauthorized WebSocket requests. This can lead to data breaches, unauthorized operations, or abuse of application functionality.

Property
Language	java
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

A controller method is annotated with @RequestMapping without specifying the HTTP method, which means it accepts all types of HTTP requests by default. This can unintentionally expose state-changing actions to unsafe methods like GET, making the endpoint vulnerable to CSRF attacks.

Impact

If exploited, an attacker could trick users into performing unwanted actions on your application (such as changing data or user settings) by sending forged requests. This can lead to unauthorized data changes, account compromise, or other security breaches, especially if sensitive operations are accessible via unsafe HTTP methods.

Property
Language	java
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

CSRF protection is disabled in this Spring configuration, leaving the application vulnerable to cross-site request forgery attacks. This means malicious sites could trick authenticated users into performing unintended actions.

Impact

If exploited, attackers could perform actions on behalf of legitimate users without their consent, such as changing account details, making unauthorized transactions, or modifying sensitive data. This can lead to data breaches, loss of user trust, and regulatory compliance issues.

Property
Language
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Your Express application does not appear to use CSRF protection middleware like csurf or csrf. Without CSRF validation, your app is vulnerable to malicious requests from other sites that can trick users into performing unwanted actions.

Impact

If exploited, attackers could perform actions on behalf of authenticated users without their consent, such as changing account information or making purchases. This can lead to compromised user accounts, data loss, and potential financial or reputational damage to your application.

Property
Language
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The CSRF protection middleware is applied before the method-override middleware in your Express app. This order can let attackers use GET requests to bypass CSRF checks and then change them into POST or other unsafe methods.

Impact

Attackers could exploit this to perform unauthorized actions on behalf of users by turning safe GET requests into unsafe POST or DELETE operations, potentially leading to data modification or deletion without the user’s consent. This compromises user data and application integrity.

Property
Language
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

CSRF protection is disabled in your Symfony form or framework configuration. This leaves forms vulnerable to malicious requests from other sites, allowing attackers to perform actions on behalf of users without their consent.

Impact

If exploited, attackers could trick users into submitting unauthorized requests, such as changing account details or performing transactions. This can lead to data loss, account compromise, and unauthorized actions within your application, potentially impacting user trust and organizational security.

Property
Language
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Passing false or 0 as the third argument to this function will not cause the script to die, making the check useless.

Property
Language
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Explicitly setting ‘WTF_CSRF_ENABLED’ to False in a Flask application disables CSRF protection, leaving forms and endpoints vulnerable to cross-site request forgery attacks. This means users are not protected against unauthorized actions performed by malicious websites.

Impact

If CSRF protection is disabled, attackers can trick authenticated users into performing unintended actions, such as changing account details or making transactions without their consent. This can lead to data breaches, account compromise, and unauthorized changes in the application, severely impacting user trust and security.

Property
Language
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Using the @csrf_exempt decorator in Django disables CSRF protection for the affected route, making it vulnerable to cross-site request forgery attacks. This means anyone can submit requests to this endpoint without a CSRF token.

Impact

If exploited, an attacker could trick users into performing unwanted actions—such as changing account details or extracting sensitive data—by submitting forged requests on their behalf, potentially leading to unauthorized access or data breaches.

Property
Language
Severity
CWE	CWE-352: Cross-Site Request Forgery (CSRF)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

This view in your Pyramid application has CSRF protection turned off, making it vulnerable to cross-site request forgery attacks. Without CSRF protection, requests from malicious sites can perform actions as if they were from legitimate users.

Impact

If exploited, an attacker could trick users into performing unwanted actions—such as changing settings or making transactions—without their knowledge. This can lead to unauthorized access, data changes, or account compromise, potentially impacting application integrity and user trust.