Security Test: POST based CSRF¶

Description¶

Default Severity:

POST based CSRF happens when an attacker tricks a user's browser into making a POST request that the server thinks is legitimate because the browser automatically sends authentication data like cookies. Essentially, the attack exploits when your server accepts requests in a flexible way—especially if it accepts different content types like form submissions—instead of strictly enforcing something like a JSON payload. This can lead to dangerous actions like altering data or making unintended financial transactions, because the user's credentials are automatically submitted without their explicit intention. Developers often mistakenly relax validations on the type of content their endpoints accept, making it easier for attackers to use the browser’s credentials to their advantage.

Reference:

https://blog.doyensec.com/2021/05/20/graphql-csrf.html

Configuration¶

Identifier: request_forgery/csrf_post_based

Examples¶

All configuration available:

checks:
  request_forgery/csrf_post_based:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API2:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.9`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-6`
CWE	`352`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R`
CVSS Score	`4.6`