Cross-Site Request Forgery (CSRF)
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
A state-changing MVC controller method is missing antiforgery token validation or strict content-type checks. This means that the method can be triggered by unauthorized requests from external sites.
Impact#
Without these protections, attackers could exploit Cross-Site Request Forgery (CSRF) to perform actions on behalf of authenticated users, such as changing account data or making transactions, potentially leading to unauthorized access or data manipulation within your application.