Missing HTTP method in Spring @RequestMapping
Description
RequestMapping endpoint does not specify an HTTP method. All methods (including unsafe ones like GET) are implicitly allowed. This can enable CSRF attacks by allowing unsafe operations via GET.
Examples
Insecure Code
java
@RequestMapping("/example")
public String example() {... }Secure Code
java
@RequestMapping(value = "/example", method = RequestMethod.POST)
public String example() {... }Remediation
Always set `method = RequestMethod.POST` (or other explicitly allowed methods) in the @RequestMapping annotation.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0799 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-352 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | csrf, spring, requestmapping |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |