# Cross-Site Request Forgery (CSRF) (CWE-352) The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. - Prevalence: 中 覆盖 3 种语言 - Impact: 高 3 条严重级别为高的规则 - Prevention: 已记录 3 个修复示例 **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. ## Prevention 基于 3 条 Shoulder 检测规则的 Cross-Site Request Forgery 预防策略。 ### JavaScript Create HTTP interceptors to centralize authentication tokens and CSRF protection across all requests ### Python Ensure CsrfViewMiddleware is enabled and never use @csrf_exempt on state-changing views ### Go Add CSRF middleware to protect state-changing endpoints ## Warning Signs - [HIGH] HttpClient used without security interceptors. Missing centralized authentication, CSRF protection, and security headers - [HIGH] View handles POST/PUT/DELETE without @csrf_protect or @ensure_csrf_cookie decorator - [HIGH] Django views that handle POST/PUT/DELETE requests without CSRF protection - [HIGH] State-changing endpoints lack CSRF protection ## Consequences - 修改应用程序数据 - 获取权限 - 执行未授权代码 ## Mitigations - 在所有改变状态的请求中使用反 CSRF 令牌 - 检查 Referer 头 - 使用 SameSite Cookie 属性 ## Detection - Total rules: 3 - Languages: javascript, typescript, python, go ## Rules by Language ### Javascript (1 rules) - **Angular Missing HTTP Security Interceptor** [HIGH]: Missing HTTP interceptors require manual token and CSRF protection on every request, leading to inconsistent security and unauthorized API access. - Remediation: Create an HTTP interceptor to add authentication tokens to all requests. ```typescript @Injectable() export class AuthInterceptor implements HttpInterceptor { constructor(private auth: AuthService) {} intercept(req: HttpRequest, next: HttpHandler) { const token = this.auth.getToken(); if (token) { req = req.clone({ headers: req.headers.set('Authorization', `Bearer ${token}`) }); } return next.handle(req); } } ``` Learn more: https://shoulder.dev/learn/typescript/cwe-352/http-interceptor-missing ### Typescript (1 rules) - **Angular Missing HTTP Security Interceptor** [HIGH]: Missing HTTP interceptors require manual token and CSRF protection on every request, leading to inconsistent security and unauthorized API access. - Remediation: Create an HTTP interceptor to add authentication tokens to all requests. ```typescript @Injectable() export class AuthInterceptor implements HttpInterceptor { constructor(private auth: AuthService) {} intercept(req: HttpRequest, next: HttpHandler) { const token = this.auth.getToken(); if (token) { req = req.clone({ headers: req.headers.set('Authorization', `Bearer ${token}`) }); } return next.handle(req); } } ``` Learn more: https://shoulder.dev/learn/typescript/cwe-352/http-interceptor-missing ### Python (1 rules) - **Django Missing CSRF Protection** [HIGH]: Detects Django views that handle POST/PUT/DELETE requests without CSRF protection. CSRF tokens prevent malicious sites from performing actions on behalf of authenticated users. - Remediation: Add CSRF protection: ```python # Option 1: Use csrf_protect decorator from django.views.decorators.csrf import csrf_protect @csrf_protect def my_view(request): if request.method == 'POST': # Handle POST pass # Option 2: Enable CSRF middleware (recommended) # In settings.py MIDDLEWARE: 'django.middleware.csrf.CsrfViewMiddleware', ``` ### Go (1 rules) - **Missing CSRF Protection (Gin)** [HIGH]: State-changing endpoints lack CSRF token protection. - Remediation: Add CSRF middleware using gin-csrf. ```go import "github.com/utrack/gin-csrf" r := gin.Default() r.Use(csrf.Middleware(csrf.Options{ Secret: os.Getenv("CSRF_SECRET"), })) r.POST("/transfer", transferHandler) ``` Learn more: https://shoulder.dev/learn/go/cwe-352/csrf-protection