Cross-Site Request Forgery (CSRF) Vulnerability
Description
The application failed to protect against Cross-Site Request Forgery (CSRF) due to not including the `[ValidateAntiForgeryToken]` attribute on an HTTP method handler that could change user state. This vulnerability can be exploited by an adversary creating a link or form on a third-party site and tricking an authenticated victim to access them.
Examples
Insecure Code
c#
[HttpPost]
public IActionResult UpdateUser(...) {
...
}Secure Code
c#
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult UpdateUser(...) {
...
}Remediation
Add the `[ValidateAntiForgeryToken]` attribute to all methods which take in user data and change user state, or enable a global `[AutoValidateAntiforgeryTokenAttribute]` filter. Consider setting all session cookies to have the `SameSite=Strict` attribute.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0446 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-352 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | CSRF, Cross-Site Request Forgery, AntiForgeryToken |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |