Cross-Site Request Forgery (CSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using the @csrf_exempt decorator in Django disables CSRF protection for the affected route, making it vulnerable to cross-site request forgery attacks. This means anyone can submit requests to this endpoint without a CSRF token.
Impact#
If exploited, an attacker could trick users into performing unwanted actions—such as changing account details or extracting sensitive data—by submitting forged requests on their behalf, potentially leading to unauthorized access or data breaches.