DerScanner
Home / Vulnerability Database / PHP : Cross-site request forgery (CSRF)
PHP

PHP : Cross-site request forgery (CSRF)

Classification

OWASP Top 10 2013
A8-Cross-Site Request Forgery (CSRF)
OWASP Top 10 2021
A8-Software and Data Integrity Failures
OWASP ASVS
Validation, Sanitization and EncodingAccess Control
PCI DSS 4.0
6.2.48.2.811.6.1
CWE
CWE-345CWE-352CWE-1034
CWE/SANS Top 25 2011
CWE-352
CWE/SANS Top 25 2021
CWE-352

Overview

Сross-Site Request Forgery (CSRF) is possible.

Cross-Site Request Forgery (CSRF) attacks rank eighth on the OWASP Top 10 2013. CSRF is a type of attack that occurs when a malicious website, email or blog forces a user’s browser to perform an action on another site where the user is logged in.

Possible scenario of an attack:

The victim goes to a site created by the attacker, and a request is secretly sent on his behalf to another server (for example, a payment system server) that performs some kind of malicious operation (e.g., transferring money to the attacker’s account). In order to carry out this attack, the victim must be authenticated on the server to which the request is sent and the request must not require any confirmation from the user, which cannot be ignored or forged by the attacking script.

References

  1. OWASP Top 10 2013-A8-Cross-Site Request Forgery (CSRF)
  2. CWE-352: Cross-Site Request Forgery (CSRF)
  3. Wikipedia: Cross-site request forgery
  4. Cross-Site Request Forgery Prevention Cheat Sheet
  5. CWE-1034
MEDIUM

DerScanner Severity Score

Do you want to fix PHP : Cross-site request forgery (CSRF) in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt