logo
Home/CWEs/CWE-352/

CWE-352 - Cross-Site Request Forgery (CSRF)

  • Abstraction:Compound
  • Structure:Composite
  • Status:Stable
  • Release Date:2006-07-19
  • Latest Modification Date:2025-04-03

Weakness Name

Cross-Site Request Forgery (CSRF)

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Common Consequences

Scope: Confidentiality, Integrity, Availability, Non-Repudiation, Access Control

Impact: Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart

Notes: The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could trick a client into making an unintentional request to the web server via a URL, image load, XMLHttpRequest, etc., which would then be treated as an authentic request from the client - effectively performing any operations as the victim, leading to an exposure of data, unintended code execution, etc. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application - deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product's users. Because the attacker has the identity of the victim, the scope of CSRF is limited only by the victim's privileges.

Related Weaknesses

CWE-345Insufficient Verification of Data Authenticity

CWE-346Origin Validation Error

CWE-441Unintended Proxy or Intermediary ('Confused Deputy')

CWE-613Insufficient Session Expiration

CWE-642External Control of Critical State DataHigh

Related Alerts

Anti-CSRF Tokens CheckMedium

Sec-Fetch-Dest Header is MissingInformational

Sec-Fetch-User Header is MissingInformational

Sec-Fetch-Site Header is MissingInformational

Absence of Anti-CSRF TokensMedium

Sec-Fetch-Site Header Has an Invalid ValueInformational

Sec-Fetch-Mode Header Has an Invalid ValueInformational

Sec-Fetch-Dest Header Has an Invalid ValueInformational

Sec-Fetch-Mode Header is MissingInformational

Sec-Fetch-User Header Has an Invalid ValueInformational