CWE-352Cross-Site Request Forgery (CSRF)

PUBLISHEDweakness recordMedium
released 2006-07-19 · last modified 2025-12-11
CWE-352 - Cross-Site Request Forgery (CSRF) - Diagram

Metadata

CWE ID:
CWE-352
摘要:
Compound
结构:
Composite
状态:
Stable
发布日期:
2006-07-19
更新日期:
2025-12-11

名称

Cross-Site Request Forgery (CSRF)

描述

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

常见后果

范围:
Confidentiality, Integrity, Availability, Non-Repudiation, Access Control
影响:
Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart
注释:
The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could trick a client into making an unintentional request to the web server via a URL, image load, XMLHttpRequest, etc., which would then be treated as an authentic request from the client - effectively performing any operations as the victim, leading to an exposure of data, unintended code execution, etc. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application - deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product's users. Because the attacker has the identity of the victim, the scope of CSRF is limited only by the victim's privileges.

相关 CWE

相关警报