CWE-352: CWE-352: Cross-Site Request Forgery (CSRF)

BaseStable🏆 #5 in Top 25 (2024)

Description

View on MITRE
345Related CVEs
23.08Severity Score
Back to CWE Lookup

Technical Details

Structure
Composite
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms
Languages

🏆 CWE Top 25 Historical Ranking

2023:#9
Score: 11.73
324 CVEs
2024:#5↑4
Score: 23.08
345 CVEs
Trend:Worsening (moved down 4 ranks)

Frequently Asked Questions

What is CWE-352: CWE-352: Cross-Site Request Forgery (CSRF)?+

CWE-352: CWE-352: Cross-Site Request Forgery (CSRF) is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description

Is CWE-352 in the CWE Top 25 Most Dangerous Software Weaknesses?+

Yes. CWE-352 ranked #5 in the CWE Top 25 for 2024, associated with 345 CVEs that year. The CWE Top 25 highlights the most common and impactful software weaknesses based on real-world vulnerability data.

What are the security consequences of CWE-352: Cross-Site Request Forgery (CSRF)?+

If exploited, CWE-352 (CWE-352: Cross-Site Request Forgery (CSRF)) it can compromise Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash and Exit, leading to outcomes such as Scope: Confidentiality, Integrity, Availability, Non-Repudiation, Access Control The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could trick a client into making an unintentional request to the web server via a URL and image load.

How do you prevent or mitigate CWE-352: Cross-Site Request Forgery (CSRF)?+

Recommended mitigations for CWE-352 include: Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [ REF-1482 ]. For example, use anti-CSRF packages such as the OWASP CSRFGuard. [ REF-330 ] Another example is the ESAPI Session Management control, which includes a component for CSRF. [ REF-45 ] Ensure that the application is free of cross-site scripting issues ( CWE-79 ), because most CSRF defenses can be bypassed using attacker-controlled script. Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable ( CWE-330 ). [ REF-332 ] Note: Note that this can be bypassed using XSS ( CWE-79 ).

Which programming languages are affected by CWE-352: Cross-Site Request Forgery (CSRF)?+

CWE-352 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-352 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More