CSRF Token Missing

By
Anandhu Krishnan
Published on
14 May 2024
1 min read
Vulnerability

Description

No Anti-CSRF tokens were found in the HTML submission form, making it vulnerable to Cross-Site Request Forgery (CSRF). CSRF attacks trick victims into sending HTTP requests to a target site without their knowledge, exploiting the trust a website has in a user. This is often due to predictable URL/form actions.

CSRF attacks can be effective when:

  • The victim has an active session on the target site.
  • The victim is authenticated via HTTP auth on the target site.
  • The victim is on the same local network as the target site.

CSRF can also lead to information disclosure, especially if the target site is vulnerable to XSS, as XSS can facilitate CSRF attacks within the same-origin policy. CSRF is also known as XSRF, one-click attack, session riding, confused deputy, and sea surf.

Recommendation

Implement anti-CSRF tokens in all forms and requests that modify state on the server. Ensure tokens are unique per session and validated on the server-side. Use secure, random token generation and include them in both the request payload and HTTP headers. Additionally, configure the server to reject requests lacking a valid CSRF token.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Anandhu Krishnan
Anandhu Krishnan
Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment