# Cross-Site Request Forgery (CSRF) (CWE-352) The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. **Stack:** JavaScript - Prevalence: Medium 3 languages covered - Impact: High 3 high-severity rules - Prevention: Documented 3 fix examples **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. ## Prevention Prevention strategies for Cross-Site Request Forgery based on 1 Shoulder detection rules. ### JavaScript Create HTTP interceptors to centralize authentication tokens and CSRF protection across all requests ## Warning Signs - [HIGH] HttpClient used without security interceptors. Missing centralized authentication, CSRF protection, and security headers ## Consequences - Modify Application Data - Gain Privileges - Execute Unauthorized Code ## Mitigations - Use anti-CSRF tokens in all state-changing requests - Check the Referer header - Use SameSite cookie attribute ## Detection - Total rules: 3 - Languages: javascript, typescript, python, go ## Rules by Language ### Javascript (1 rules) - **Angular Missing HTTP Security Interceptor** [HIGH]: Missing HTTP interceptors require manual token and CSRF protection on every request, leading to inconsistent security and unauthorized API access. - Remediation: Create an HTTP interceptor to add authentication tokens to all requests. ```typescript @Injectable() export class AuthInterceptor implements HttpInterceptor { constructor(private auth: AuthService) {} intercept(req: HttpRequest, next: HttpHandler) { const token = this.auth.getToken(); if (token) { req = req.clone({ headers: req.headers.set('Authorization', `Bearer ${token}`) }); } return next.handle(req); } } ``` Learn more: https://shoulder.dev/learn/typescript/cwe-352/http-interceptor-missing ### Typescript (1 rules) - **Angular Missing HTTP Security Interceptor** [HIGH]: Missing HTTP interceptors require manual token and CSRF protection on every request, leading to inconsistent security and unauthorized API access. - Remediation: Create an HTTP interceptor to add authentication tokens to all requests. ```typescript @Injectable() export class AuthInterceptor implements HttpInterceptor { constructor(private auth: AuthService) {} intercept(req: HttpRequest, next: HttpHandler) { const token = this.auth.getToken(); if (token) { req = req.clone({ headers: req.headers.set('Authorization', `Bearer ${token}`) }); } return next.handle(req); } } ``` Learn more: https://shoulder.dev/learn/typescript/cwe-352/http-interceptor-missing