Absence of anti-CSRF tokens
Description
The application failed to protect against Cross-Site Request Forgery (CSRF) by using
secure application tokens or SameSite
cookie directives.
The vulnerability can be exploited by an attacker creating a link or form on a third party site and tricking an authenticated victim to access them.
Remediation
Consider setting all session cookies to have the SameSite=Strict
attribute. However,
it should be noted that this may impact usability when sharing links across other mediums.
It is recommended that a two cookie based approach is taken, as outlined in the
Top level navigations section
of the RFC.
If the application is using a common framework, there is a chance that Anti-CSRF protection is built in but needs to be enabled. Consult your application framework documentation for details.
If neither of the above are applicable, it is strongly recommended that a third party library is used. Implementing a secure Anti-CSRF system is a significant investment and difficult to do correctly.
Details
ID | Aggregated | CWE | Type | Risk |
---|---|---|---|---|
352.1 | true | 352 | Passive | Medium |
Links
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support