CWE-352: Cross-Site Request Forgery (CSRF)

Overview

This issue was identified during dynamic (DAST) scanning based on observed runtime behavior indicating that state-changing requests were accepted without a valid anti-CSRF protection. Confirmation requires reviewing how request authenticity is enforced for authenticated actions.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-352 typically indicate that the application accepted authenticated, state-changing requests without verifying request authenticity, such as:

• Successful POST/PUT/DELETE requests without a CSRF token
• State changes triggered by cross-origin requests
• Acceptance of requests without Origin or Referer validation
• Identical behavior for same-site and cross-site requests

Evidence is based on observing successful state changes without CSRF defenses, not on specific parameter values.

Mapping DAST Findings to Source Code

CWE-352 does not map to a specific parameter. The issue resides in how the application enforces request authenticity for authenticated, state-changing actions.

When tracing this issue in code, look for:

• CSRF token generation and validation logic
• Middleware enforcing CSRF protections
• SameSite cookie configuration
• Origin / Referer validation for sensitive requests
• Endpoints performing state changes without CSRF checks

Key: Check if CSRF token validation is present before these operations

Remediation

Core Principle: Never allow authenticated, state-changing requests to be processed unless their origin and authenticity are verified using server-controlled mechanisms.

→ For comprehensive remediation guidance, see Static CWE-352 Guidance

Language-Specific Guidance

The static guidance provides detailed remediation steps for many languages. If you need language-specific examples:

• C#
• Java
• JavaScript/Node.js
• Python

Verification and Follow-Up Testing

After applying the fix:

1. Reproduce the Original Behavior

• Attempt authenticated, state-changing requests without CSRF tokens
• Observe whether the application previously accepted these requests

Verify the Fix

• Confirm CSRF tokens are required for all state-changing operations
• Verify requests without valid tokens are rejected
• Ensure SameSite and origin protections are enforced where applicable

Test Edge Cases

• Missing or malformed CSRF tokens
• Tokens reused across sessions
• Cross-origin requests triggering state changes
• GET requests performing state changes

Re-run DAST Scanner

Re-run the dynamic scanner to confirm CSRF protections are enforced.

Additional Resources

• CWE-352: Cross-Site Request Forgery (CSRF)
• OWASP Top 10 2025
• OWASP Top 10 2025 A01: Broken Access Control