Request Forgery: CSRF Post Based¶

Identifier: csrf_post_based

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

POST-based CSRF vulnerabilities occur when servers accept POST requests with flexible content types, allowing attackers to trick authenticated users' browsers into making unintended state-changing requests.

How we test: We test POST endpoints to detect if they accept multiple content types such as form submissions in addition to JSON. We check if CSRF protection mechanisms are properly implemented and verify if endpoints can be exploited via cross-site form submissions that automatically include user credentials.

References:

https://portswigger.net/web-security/csrf

Configuration¶

Example¶

Example configuration:

---
security_tests:
  csrf_post_based:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.