# Cross-Site Request Forgery (CSRF) (CWE-352) The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. - Prevalence: 보통 3개 언어 지원 - Impact: 높음 3개의 높은 심각도 규칙 - Prevention: 문서화됨 3개의 수정 예시 **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. ## Prevention 3개의 Shoulder 탐지 규칙을 기반으로 한 Cross-Site Request Forgery 예방 전략. ### JavaScript Create HTTP interceptors to centralize authentication tokens and CSRF protection across all requests ### Python Ensure CsrfViewMiddleware is enabled and never use @csrf_exempt on state-changing views ### Go Add CSRF middleware to protect state-changing endpoints ## Warning Signs - [HIGH] HttpClient used without security interceptors. Missing centralized authentication, CSRF protection, and security headers - [HIGH] View handles POST/PUT/DELETE without @csrf_protect or @ensure_csrf_cookie decorator - [HIGH] Django views that handle POST/PUT/DELETE requests without CSRF protection - [HIGH] State-changing endpoints lack CSRF protection ## Consequences - 애플리케이션 데이터 수정 - 권한 획득 - 승인되지 않은 코드 실행 ## Mitigations - 상태를 변경하는 모든 요청에 CSRF 방지 토큰을 사용하세요 - Referer 헤더를 확인하세요 - SameSite 쿠키 속성을 사용하세요 ## Detection - Total rules: 3 - Languages: javascript, typescript, python, go ## Rules by Language ### Javascript (1 rules) - **Angular Missing HTTP Security Interceptor** [HIGH]: Missing HTTP interceptors require manual token and CSRF protection on every request, leading to inconsistent security and unauthorized API access. - Remediation: Create an HTTP interceptor to add authentication tokens to all requests. ```typescript @Injectable() export class AuthInterceptor implements HttpInterceptor { constructor(private auth: AuthService) {} intercept(req: HttpRequest, next: HttpHandler) { const token = this.auth.getToken(); if (token) { req = req.clone({ headers: req.headers.set('Authorization', `Bearer ${token}`) }); } return next.handle(req); } } ``` Learn more: https://shoulder.dev/learn/typescript/cwe-352/http-interceptor-missing ### Typescript (1 rules) - **Angular Missing HTTP Security Interceptor** [HIGH]: Missing HTTP interceptors require manual token and CSRF protection on every request, leading to inconsistent security and unauthorized API access. - Remediation: Create an HTTP interceptor to add authentication tokens to all requests. ```typescript @Injectable() export class AuthInterceptor implements HttpInterceptor { constructor(private auth: AuthService) {} intercept(req: HttpRequest, next: HttpHandler) { const token = this.auth.getToken(); if (token) { req = req.clone({ headers: req.headers.set('Authorization', `Bearer ${token}`) }); } return next.handle(req); } } ``` Learn more: https://shoulder.dev/learn/typescript/cwe-352/http-interceptor-missing ### Python (1 rules) - **Django Missing CSRF Protection** [HIGH]: Detects Django views that handle POST/PUT/DELETE requests without CSRF protection. CSRF tokens prevent malicious sites from performing actions on behalf of authenticated users. - Remediation: Add CSRF protection: ```python # Option 1: Use csrf_protect decorator from django.views.decorators.csrf import csrf_protect @csrf_protect def my_view(request): if request.method == 'POST': # Handle POST pass # Option 2: Enable CSRF middleware (recommended) # In settings.py MIDDLEWARE: 'django.middleware.csrf.CsrfViewMiddleware', ``` ### Go (1 rules) - **Missing CSRF Protection (Gin)** [HIGH]: State-changing endpoints lack CSRF token protection. - Remediation: Add CSRF middleware using gin-csrf. ```go import "github.com/utrack/gin-csrf" r := gin.Default() r.Use(csrf.Middleware(csrf.Options{ Secret: os.Getenv("CSRF_SECRET"), })) r.POST("/transfer", transferHandler) ``` Learn more: https://shoulder.dev/learn/go/cwe-352/csrf-protection