1.6 KiB
stage | group | info |
---|---|---|
Secure | Dynamic Analysis | To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments |
Absence of anti-CSRF tokens
Description
The application failed to protect against Cross-Site Request Forgery (CSRF) by using
secure application tokens or SameSite
cookie directives.
The vulnerability can be exploited by an attacker creating a link or form on a third party site and tricking an authenticated victim to access them.
Remediation
Consider setting all session cookies to have the SameSite=Strict
attribute. However,
it should be noted that this may impact usability when sharing links across other mediums.
It is recommended that a two cookie based approach is taken, as outlined in the
Top level navigations section
of the RFC.
If the application is using a common framework, there is a chance that Anti-CSRF protection is built in but needs to be enabled. Consult your application framework documentation for details.
If neither of the above are applicable, it is strongly recommended that a third party library is used. Implementing a secure Anti-CSRF system is a significant investment and difficult to do correctly.
Details
ID | Aggregated | CWE | Type | Risk |
---|---|---|---|---|
352.1 | true | 352 | Passive | Medium |