원클릭으로
sc-csrf
Cross-Site Request Forgery detection — missing tokens, SameSite misconfiguration, and CORS-CSRF interaction
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Cross-Site Request Forgery detection — missing tokens, SameSite misconfiguration, and CORS-CSRF interaction
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | sc-csrf |
| description | Cross-Site Request Forgery detection — missing tokens, SameSite misconfiguration, and CORS-CSRF interaction |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects CSRF vulnerabilities where state-changing operations (POST, PUT, DELETE) lack CSRF protection, enabling attackers to trick authenticated users into performing unintended actions. Covers missing CSRF tokens, SameSite cookie misconfiguration, token validation flaws, and JSON content-type bypass scenarios.
Called by sc-orchestrator during Phase 2 when web applications with session-based auth are detected.
"csrf", "CSRF", "csrftoken", "csrf_token", "_token",
"SameSite", "samesite", "X-CSRF-Token", "X-XSRF-TOKEN",
"@csrf", "csrf_exempt", "CsrfViewMiddleware",
"antiforgery", "ValidateAntiForgeryToken", "csurf"
1. Missing CSRF Protection:
# VULNERABLE: State-changing endpoint without CSRF
@csrf_exempt # Explicitly disabled!
def transfer_funds(request):
amount = request.POST['amount']
to_account = request.POST['to']
# Transfer without CSRF verification
2. SameSite Cookie Not Set:
// VULNERABLE: No SameSite attribute
app.use(session({
cookie: { httpOnly: true, secure: true }
// Missing: sameSite: 'strict' or 'lax'
}));
3. JSON API Without Content-Type Validation:
// VULNERABLE: Accepts both form-encoded and JSON
app.post('/api/transfer', (req, res) => {
// Attacker can submit via HTML form with content-type application/x-www-form-urlencoded
});
// SAFE: Require application/json content-type
app.post('/api/transfer', (req, res) => {
if (req.headers['content-type'] !== 'application/json') {
return res.status(415).send('Unsupported Media Type');
}
});
@csrf_exempt.$except array..csrf().disable().csurf or csrf-csrf middleware.[ValidateAntiForgeryToken] on POST actions.Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan