Disabled Spring CSRF protection¶
ID: java/spring-disabled-csrf-protection Kind: problem Security severity: 8.8 Severity: error Precision: high Tags: - security - external/cwe/cwe-352 Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls Click to see the query in the CodeQL repository
Cross-site request forgery (CSRF) is a type of vulnerability in which an attacker is able to force a user to carry out an action that the user did not intend.
The attacker tricks an authenticated user into submitting a request to the web application. Typically, this request will result in a state change on the server, such as changing the user’s password. The request can be initiated when the user visits a site controlled by the attacker. If the web application relies only on cookies for authentication, or on other credentials that are automatically included in the request, then this request will appear as legitimate to the server.
Recommendation¶
When you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.
Example¶
The following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.
import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf(csrf -> // BAD - CSRF protection shouldn't be disabled csrf.disable() ); } } References¶
Spring Security Reference: Cross Site Request Forgery (CSRF) .
Common Weakness Enumeration: CWE-352.