Cross-Site Request Forgery (CSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Explicitly setting ‘WTF_CSRF_ENABLED’ to False in a Flask application disables CSRF protection, leaving forms and endpoints vulnerable to cross-site request forgery attacks. This means users are not protected against unauthorized actions performed by malicious websites.
Impact#
If CSRF protection is disabled, attackers can trick authenticated users into performing unintended actions, such as changing account details or making transactions without their consent. This can lead to data breaches, account compromise, and unauthorized changes in the application, severely impacting user trust and security.