← back to index

S4502 — CSRF protections should not be disabled

Language: C#  |  Type: VULNERABILITY  |  Severity: Critical

Tags: cwe, former-hotspot

Cross-site request forgery (CSRF) forces an authenticated user to perform unintended state-changing actions in a web application. This rule detects when CSRF protection is explicitly disabled or missing from an application.

Why is this an issue?

When CSRF protection is disabled or bypassed, an attacker can trick a logged-in user into submitting requests the application treats as authenticated. The rule flags configurations that disable framework CSRF middleware, exempt specific routes or views, or leave unsafe HTTP methods unprotected.

What is the potential impact?

Unauthorized state changes

An attacker can change passwords, transfer funds, modify data, or perform other privileged operations using the victim’s session.

Account compromise

Successful CSRF attacks can lead to full account takeover when combined with sensitive actions such as email or credential changes.

How to fix it

Code examples

Disabling or bypassing CSRF protection allows an authenticated user’s browser to execute state-changing requests the user did not intend.

Noncompliant code example

public void ConfigureServices(IServiceCollection services)
{
    // ...
    services.AddControllersWithViews(options => options.Filters.Add(new IgnoreAntiforgeryTokenAttribute())); // Noncompliant
    // ...
}
[HttpPost, IgnoreAntiforgeryToken] // Noncompliant
public IActionResult ChangeEmail(ChangeEmailModel model) => View("~/Views/...");

Compliant solution

public void ConfigureServices(IServiceCollection services)
{
    // ...
    services.AddControllersWithViews(options => options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()));
    // or
    services.AddControllersWithViews(options => options.Filters.Add(new ValidateAntiForgeryTokenAttribute()));
    // ...
}
[HttpPost]
[AutoValidateAntiforgeryToken]
public IActionResult ChangeEmail(ChangeEmailModel model) => View("~/Views/...");

Resources

Documentation

Articles & blog posts

Standards