Statements (38)
| Predicate | Object |
|---|---|
| gptkbp:instance_of |
gptkb:Common_Weakness_Enumeration
|
| gptkbp:bfsLayer |
6
|
| gptkbp:bfsParent |
gptkb:CWE-750
|
| gptkbp:countermeasures |
Implementing CSRF tokens.
Using CAPTCHA. Validating the origin of requests. |
| gptkbp:difficulty |
gptkb:High
|
| gptkbp:enemy |
Web applications.
|
| gptkbp:example |
A user unknowingly authorizes a transaction on a malicious site.
A user is tricked into clicking a link that submits a form. An attacker sends an email with a link that performs an action on a web application. A user is logged into a site and clicks a link that submits a form without their consent. A malicious site sends a request to a bank to transfer money. A user is tricked into submitting a form that changes their account settings. |
| gptkbp:game_components |
Web applications.
Web servers. Web browsers. |
| https://www.w3.org/2000/01/rdf-schema#label |
CWE-352
|
| gptkbp:impact |
Unauthorized actions on behalf of a user.
|
| gptkbp:is_described_as |
A weakness that allows an attacker to induce a user to perform actions that they do not intend.
|
| gptkbp:is_protected_by |
User education.
Same Site cookie attribute. Use anti-CSRF tokens. |
| gptkbp:is_referenced_in |
NISTSP 800-53.
CWE-306: Missing Authentication for Critical Function. CWE-327: Use of a Broken or Risky Cryptographic Algorithm. CWE-16: Configuration. CWE-200: Information Exposure. CWE-20: Improper Input Validation. CWE-285: Improper Authorization. CWE-295: Improper Certificate Validation. CWE-601: URL Redirection to Untrusted Site. OWASPCSRF Prevention Cheat Sheet. CWE-22: Improper Limitation of a Pathname to a Restricted Directory. CWE-79: Improper Neutralization of Input During Web Page Generation. |
| gptkbp:name |
Cross-Site Request Forgery (CSRF)
|
| gptkbp:related_to |
Cross-Site Scripting (XSS)
Session Fixation |