The application failed to protect against Cross-Site Request Forgery (CSRF) by using
secure application tokens or
SameSite cookie directives.
The vulnerability can be exploited by an attacker creating a link or form on a third party site and tricking an authenticated victim to access them.
Consider setting all session cookies to have the
SameSite=Strict attribute. However,
it should be noted that this may impact usability when sharing links across other mediums.
It is recommended that a two cookie based approach is taken, as outlined in the
Top level navigations section
of the RFC.
If the application is using a common framework, there is a chance that Anti-CSRF protection is built in but needs to be enabled. Consult your application framework documentation for details.
If neither of the above are applicable, it is strongly recommended that a third party library is used. Implementing a secure Anti-CSRF system is a significant investment and difficult to do correctly.