Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit c5a9747

Browse files
ggolawskiggolawski
committed
Add check for disabled CSRF protection in Spring
Fix the help according to review comments.
1 parent 4ce25c0 commit c5a9747

2 files changed

Lines changed: 11 additions & 12 deletions

File tree

java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.qhelp

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -2,30 +2,29 @@
22
<qhelp>
33

44
<overview>
5-
<p>When a web server is designed to receive a request from a client without any mechanism
6-
for verifying that it was intentionally sent, then it might be possible for an attacker
7-
to trick a client into making an unintentional request to the web server which will be treated
8-
as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can
5+
<p>When you set up a web server to receive a request from a client without any mechanism
6+
for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can
7+
trick a client into making an unintended request to the web server that will be treated as
8+
an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can
99
result in exposure of data or unintended code execution.</p>
1010
</overview>
1111

1212
<recommendation>
13-
<p>Cross-Site Request Forgery (CSRF) protection is enabled by default in Spring with Java
14-
configuration. It's recommended to not disable this.</p>
13+
<p>Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation
14+
is to use CSRF protection for any request that could be processed by a browser client by normal
15+
users.</p>
1516
</recommendation>
1617

1718
<example>
18-
<p>The following example shows the Spring Java configuration with CSRF protection disabled.</p>
19+
<p>The following example shows the Spring Java configuration with CSRF protection disabled.
20+
This type of configuration should only be used if you are creating a service that is used only
21+
by non-browser clients.</p>
1922

2023
<sample src="SpringCSRFProtection.java" />
2124
</example>
2225

2326
<references>
2427
<li>
25-
CWE:
26-
<a href="https://cwe.mitre.org/data/definitions/352.html">CWE-352: Cross-Site Request Forgery (CSRF)</a>.
27-
</li>
28-
<li>
2928
OWASP:
3029
<a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a>.
3130
</li>

java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
/**
22
* @name Disabled Spring CSRF protection
33
* @description Disabling CSRF protection makes the application vulnerable to
4-
* Cross-Site Request Forgery (CSRF) attack.
4+
* a Cross-Site Request Forgery (CSRF) attack.
55
* @kind problem
66
* @problem.severity error
77
* @precision high

0 commit comments

Comments
 (0)