CWE-352 - Cross-Site Request Forgery (CSRF)


Cross-site request forgery (CSRF) is a weakness within a web application which is caused by insufficient or absent verification of the HTTP request origin. Webservers are usually designed to accept all requests and respond to them. If a client sends several HTTP requests within one or several sessions, it is impossible for a webserver to know whether all the requests were intentional, and they are treated as such. An attacker might be able to force a user to visit a specially crafted webpage and perform state changing requests like transferring funds, changing their email address, and so on and so forth.
Having gained the access to any data, attackers can carry out all the actions allowed only for valid users and even to cause the system problems by destructing or stealing data, uninstalling the product, or using it to make other attacks.
The weakness is introduced during Architecure and Design stage.

Latest vulnerabilities for CWE-352


Description of CWE-352 on Mitre website