CSRF vulnerabilities occur when attackers can trick a user to perform sensitive authenticated operations on a web application without his consent.
<body onload="document.forms[0].submit()">
<form>
<form action="http://mybank.com/account/transfer_money" method="POST">
<input type="hidden" name="accountNo" value="attacker_account_123456"/>
<input type="hidden" name="amount" value="10000"/>
<input type="submit" value="Steal money"/>
</form>
If an user visits the attacker's website which contains the above malicious code, his bank account will be debited without his consent and notice.
There is a risk if you answered yes to any of those questions.
GET which are designed to be
used only for information retrieval. Spring Security provides by default a protection against CSRF attacks.
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable(); // Sensitive
}
}
With Spring Security CSRF protection is enabled by default, do not disable it.
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// http.csrf().disable(); // Compliant
}
}