Language: C# | Type: VULNERABILITY | Severity: Critical
Tags: cwe, former-hotspot
Cross-site request forgery (CSRF) forces an authenticated user to perform unintended state-changing actions in a web application. This rule detects when CSRF protection is explicitly disabled or missing from an application.
When CSRF protection is disabled or bypassed, an attacker can trick a logged-in user into submitting requests the application treats as authenticated. The rule flags configurations that disable framework CSRF middleware, exempt specific routes or views, or leave unsafe HTTP methods unprotected.
An attacker can change passwords, transfer funds, modify data, or perform other privileged operations using the victim’s session.
Successful CSRF attacks can lead to full account takeover when combined with sensitive actions such as email or credential changes.
Disabling or bypassing CSRF protection allows an authenticated user’s browser to execute state-changing requests the user did not intend.
public void ConfigureServices(IServiceCollection services)
{
// ...
services.AddControllersWithViews(options => options.Filters.Add(new IgnoreAntiforgeryTokenAttribute())); // Noncompliant
// ...
}
[HttpPost, IgnoreAntiforgeryToken] // Noncompliant
public IActionResult ChangeEmail(ChangeEmailModel model) => View("~/Views/...");
public void ConfigureServices(IServiceCollection services)
{
// ...
services.AddControllersWithViews(options => options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()));
// or
services.AddControllersWithViews(options => options.Filters.Add(new ValidateAntiForgeryTokenAttribute()));
// ...
}
[HttpPost]
[AutoValidateAntiforgeryToken]
public IActionResult ChangeEmail(ChangeEmailModel model) => View("~/Views/...");