CSRF vulnerabilities occur when attackers can trick an user to perform sensitive authenticated operations on a web application without his consent.
<body onload="document.forms[0].submit()">
<form>
<form action="http://mybank.com/account/transfer_money" method="POST">
<input type="hidden" name="accountNo" value="attacker_account_123456"/>
<input type="hidden" name="amount" value="10000"/>
<input type="submit" value="Steal money"/>
</form>
If an user visits the attacker's website which contains the above malicious code, his bank account will be debited without his consent and notice.
You are at risk if you answered yes to any of those questions.
GET which are designed to be
used only for information retrieval. Spring Security provides by default a protection against CSRF attacks.
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable(); // Sensitive
}
}
With Spring Security CSRF protection is enabled by default, do not disable it.
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// http.csrf().disable(); // Compliant
}
}