# Cross-Site Request Forgery (CSRF) (CWE-352) The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. - Prevalence: Medium 3 languages covered - Impact: High 3 high-severity rules - Prevention: Documented 3 fix examples **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. ## Prevention Prevention strategies for Cross-Site Request Forgery based on 3 Shoulder detection rules. ### Node.js Create HTTP interceptors to centralize authentication tokens and CSRF protection across all requests ### Python Ensure CsrfViewMiddleware is enabled and never use @csrf_exempt on state-changing views ### Go Add CSRF middleware to protect state-changing endpoints ## Warning Signs - [HIGH] HttpClient used without security interceptors. Missing centralized authentication, CSRF protection, and security headers - [HIGH] View handles POST/PUT/DELETE without @csrf_protect or @ensure_csrf_cookie decorator - [HIGH] Django views that handle POST/PUT/DELETE requests without CSRF protection - [HIGH] State-changing endpoints lack CSRF protection ## Consequences - Modify Application Data - Gain Privileges - Execute Unauthorized Code ## Mitigations - Use anti-CSRF tokens in all state-changing requests - Check the Referer header - Use SameSite cookie attribute ## Detection - Total rules: 3 - Languages: javascript, typescript, python, go ## Rules by Language ### Javascript (1 rules) - **Angular Missing HTTP Security Interceptor** [HIGH]: Missing HTTP interceptors require manual token and CSRF protection on every request, leading to inconsistent security and unauthorized API access. - Remediation: Create an HTTP interceptor to add authentication tokens to all requests. ```typescript @Injectable() export class AuthInterceptor implements HttpInterceptor { constructor(private auth: AuthService) {} intercept(req: HttpRequest, next: HttpHandler) { const token = this.auth.getToken(); if (token) { req = req.clone({ headers: req.headers.set('Authorization', `Bearer ${token}`) }); } return next.handle(req); } } ``` Learn more: https://shoulder.dev/learn/typescript/cwe-352/http-interceptor-missing ### Typescript (1 rules) - **Angular Missing HTTP Security Interceptor** [HIGH]: Missing HTTP interceptors require manual token and CSRF protection on every request, leading to inconsistent security and unauthorized API access. - Remediation: Create an HTTP interceptor to add authentication tokens to all requests. ```typescript @Injectable() export class AuthInterceptor implements HttpInterceptor { constructor(private auth: AuthService) {} intercept(req: HttpRequest, next: HttpHandler) { const token = this.auth.getToken(); if (token) { req = req.clone({ headers: req.headers.set('Authorization', `Bearer ${token}`) }); } return next.handle(req); } } ``` Learn more: https://shoulder.dev/learn/typescript/cwe-352/http-interceptor-missing ### Python (1 rules) - **Django Missing CSRF Protection** [HIGH]: Detects Django views that handle POST/PUT/DELETE requests without CSRF protection. CSRF tokens prevent malicious sites from performing actions on behalf of authenticated users. - Remediation: Add CSRF protection: ```python # Option 1: Use csrf_protect decorator from django.views.decorators.csrf import csrf_protect @csrf_protect def my_view(request): if request.method == 'POST': # Handle POST pass # Option 2: Enable CSRF middleware (recommended) # In settings.py MIDDLEWARE: 'django.middleware.csrf.CsrfViewMiddleware', ``` ### Go (1 rules) - **Missing CSRF Protection (Gin)** [HIGH]: State-changing endpoints lack CSRF token protection. - Remediation: Add CSRF middleware using gin-csrf. ```go import "github.com/utrack/gin-csrf" r := gin.Default() r.Use(csrf.Middleware(csrf.Options{ Secret: os.Getenv("CSRF_SECRET"), })) r.POST("/transfer", transferHandler) ``` Learn more: https://shoulder.dev/learn/go/cwe-352/csrf-protection