| name | sc-csrf |
| description | Cross-Site Request Forgery detection — missing tokens, SameSite misconfiguration, and CORS-CSRF interaction |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
SC: Cross-Site Request Forgery (CSRF)
Purpose
Detects CSRF vulnerabilities where state-changing operations (POST, PUT, DELETE) lack CSRF protection, enabling attackers to trick authenticated users into performing unintended actions. Covers missing CSRF tokens, SameSite cookie misconfiguration, token validation flaws, and JSON content-type bypass scenarios.
Activation
Called by sc-orchestrator during Phase 2 when web applications with session-based auth are detected.
Phase 1: Discovery
Keyword Patterns to Search
"csrf", "CSRF", "csrftoken", "csrf_token", "_token",
"SameSite", "samesite", "X-CSRF-Token", "X-XSRF-TOKEN",
"@csrf", "csrf_exempt", "CsrfViewMiddleware",
"antiforgery", "ValidateAntiForgeryToken", "csurf"
Vulnerability Patterns
1. Missing CSRF Protection:
@csrf_exempt
def transfer_funds(request):
amount = request.POST['amount']
to_account = request.POST['to']
2. SameSite Cookie Not Set:
app.use(session({
cookie: { httpOnly: true, secure: true }
}));
3. JSON API Without Content-Type Validation:
app.post('/api/transfer', (req, res) => {
});
app.post('/api/transfer', (req, res) => {
if (req.headers['content-type'] !== 'application/json') {
return res.status(415).send('Unsupported Media Type');
}
});
Framework CSRF Defaults
- Django: CSRF middleware enabled by default. Check for
@csrf_exempt.
- Laravel: VerifyCsrfToken middleware. Check
$except array.
- Spring Security: CSRF enabled by default. Check
.csrf().disable().
- Express: No built-in CSRF. Check for
csurf or csrf-csrf middleware.
- ASP.NET: Check for
[ValidateAntiForgeryToken] on POST actions.
Severity Classification
- Critical: Missing CSRF on financial operations, password change, email change
- High: Missing CSRF on account settings, admin actions
- Medium: Missing CSRF on non-critical state changes, SameSite=None
- Low: Missing CSRF on preference changes, CSRF concerns mitigated by SameSite=Lax
Output Format
Finding: CSRF-{NNN}
- Title: Missing CSRF Protection on {endpoint}
- Severity: Critical | High | Medium | Low
- Confidence: 0-100
- File: file/path:line
- Vulnerability Type: CWE-352 (Cross-Site Request Forgery)
- Description: {State-changing endpoint} lacks CSRF token validation.
- Impact: Unauthorized actions on behalf of authenticated users.
- Remediation: Enable CSRF tokens, set SameSite=Strict/Lax, validate Content-Type.
- References: https://cwe.mitre.org/data/definitions/352.html
Common False Positives
- API-only with Bearer tokens — APIs using Authorization header (not cookies) are CSRF-immune
- SameSite=Lax by default — modern browsers default to Lax, mitigating most CSRF
- GraphQL mutations — typically require application/json content-type (pre-flight check)
- CORS properly configured — strict CORS blocks cross-origin form submissions with credentials