Cross-Site Request Forgery (CSRF)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The CSRF protection configuration may be incomplete, allowing certain HTTP request types (like ‘application/x-www-form-urlencoded’, ‘multipart/form-data’, or ’text/plain’) to bypass CSRF checks. Without properly blocking these content types, attackers could craft requests that trick users into performing unwanted actions.
Impact#
If exploited, an attacker could perform unauthorized actions on behalf of authenticated users, such as changing account details or making transactions, potentially leading to data loss, fraud, or compromise of user accounts. This undermines user trust and may expose sensitive information or functions.