Skip to content

Request Forgery: CSRF Post Based

Identifier: csrf_post_based

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

POST based CSRF happens when an attacker tricks a user's browser into making a POST request that the server thinks is legitimate because the browser automatically sends authentication data like cookies. Essentially, the attack exploits when your server accepts requests in a flexible wayespecially if it accepts different content types like form submissionsinstead of strictly enforcing something like a JSON payload. This can lead to dangerous actions like altering data or making unintended financial transactions, because the user's credentials are automatically submitted without their explicit intention. Developers often mistakenly relax validations on the type of content their endpoints accept, making it easier for attackers to use the browsers credentials to their advantage.

Configuration

Example

Example configuration:

---
security_tests:
  csrf_post_based:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.