Security Test: POST based CSRF¶

Description¶

Default Severity:

POST based CSRF is when an attacker tricks a user's browser into sending a POST request that seems legitimate to a server because the browser automatically includes authentication details like cookies. The danger lies in the fact that the attacker can make the server perform harmful actions, such as altering data or initiating unintended transactions, without the user's clear intent. This often happens when developers allow too much flexibility in what type of content the server accepts, like not enforcing a strict JSON format. Developers need to be wary of these lax validations, as they provide an opening for attackers to misuse a user's credentials and cause potential data breaches or financial losses.

Reference:

https://blog.doyensec.com/2021/05/20/graphql-csrf.html

Configuration¶

Identifier: frontend_request_forgery/csrf_post_based

Examples¶

All configuration available:

checks:
  frontend_request_forgery/csrf_post_based:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API2:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.9`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-6`
CWE	`352`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R`
CVSS Score	`4.6`