Statements (38)
Predicate | Object |
---|---|
gptkbp:instance_of |
gptkb:Common_Weakness_Enumeration
|
gptkbp:common_mitigation |
Implementing CSRF tokens.
Using CAPTCHA. Validating the origin of requests. |
gptkbp:components |
Web applications.
Web servers. Web browsers. |
gptkbp:description |
A weakness that allows an attacker to induce a user to perform actions that they do not intend.
|
gptkbp:difficulty_levels |
gptkb:High
|
gptkbp:example |
A user unknowingly authorizes a transaction on a malicious site.
A user is tricked into clicking a link that submits a form. An attacker sends an email with a link that performs an action on a web application. A user is logged into a site and clicks a link that submits a form without their consent. A malicious site sends a request to a bank to transfer money. A user is tricked into submitting a form that changes their account settings. |
gptkbp:has_enemies |
Web applications.
|
https://www.w3.org/2000/01/rdf-schema#label |
CWE-352
|
gptkbp:impact |
Unauthorized actions on behalf of a user.
|
gptkbp:is_referenced_in |
CWE-306: Missing Authentication for Critical Function.
CWE-327: Use of a Broken or Risky Cryptographic Algorithm. CWE-16: Configuration. CWE-200: Information Exposure. CWE-20: Improper Input Validation. CWE-285: Improper Authorization. CWE-295: Improper Certificate Validation. CWE-601: URL Redirection to Untrusted Site. CWE-22: Improper Limitation of a Pathname to a Restricted Directory. CWE-79: Improper Neutralization of Input During Web Page Generation. NIST SP 800-53. OWASP CSRF Prevention Cheat Sheet. |
gptkbp:name |
Cross-Site Request Forgery (CSRF)
|
gptkbp:prevention |
User education.
Same Site cookie attribute. Use anti-CSRF tokens. |
gptkbp:related_to |
Cross-Site Scripting (XSS)
Session Fixation |
gptkbp:bfsParent |
gptkb:CWE-750
|
gptkbp:bfsLayer |
8
|