forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSpringCSRFProtection.qhelp
48 lines (42 loc) · 1.64 KB
/
SpringCSRFProtection.qhelp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
<qhelp>
<overview>
<p>
Cross-site request forgery (CSRF) is a type of vulnerability in which an
attacker is able to force a user to carry out an action that the user did
not intend.
</p>
<p>
The attacker tricks an authenticated user into submitting a request to the
web application. Typically, this request will result in a state change on
the server, such as changing the user's password. The request can be
initiated when the user visits a site controlled by the attacker. If the
web application relies only on cookies for authentication, or on other
credentials that are automatically included in the request, then this
request will appear as legitimate to the server.
</p>
</overview>
<recommendation>
<p>When you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation
is to use CSRF protection for any request that could be processed by a browser client by normal
users.</p>
</recommendation>
<example>
<p>The following example shows the Spring Java configuration with CSRF protection disabled.
This type of configuration should only be used if you are creating a service that is used only
by non-browser clients.</p>
<sample src="SpringCSRFProtection.java" />
</example>
<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross Site Request Forgery (CSRF)</a>.
</li>
<li>
Spring Security Reference:
<a href="https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html">
Cross Site Request Forgery (CSRF)
</a>.
</li>
</references>
</qhelp>