CWE - CWE-352: Cross-Site Request Forgery (CSRF) (Draft 9)

Home > CWE List > CWE-352 Individual Dictionary Definition (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

CWE-352 Individual Dictionary Definition (Draft 9)

Compound Element ID

Status: Incomplete

352 (Compound Element Variant: Composite)

Description

Summary

The web product does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Note: CSRF is multi-channel: 1. Attacker-to-victim (injection; external or internal channel) 2. Victim-to-server (activation; internal channel)

Alternate Terms

Session Riding

Cross Site Reference Forgery

XSRF

Observed Examples

Reference	Description
CVE-2004-1703
CVE-2004-1995
CVE-2004-1967
CVE-2004-1842
CVE-2005-1947
CVE-2005-2059
CVE-2005-1674	CSRF

Context Notes

Could be resultant from XSS, although XSS is not necessarily required.

References

Peter W. "Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images)". Bugtraq. <http://marc.info/?l=bugtraq&m=99263135911884&w=2>.

Robert Auger. "CSRF - The Cross-Site Request Forgery (CSRF/XSRF) FAQ". <http://www.cgisecurity.com/articles/csrf-faq.shtml>.

Relationships

Nature	Type	ID	Name
ChildOf	Weakness Class	345	Insufficient Verification of Data Authenticity
Requires	Weakness Base	346	Origin Validation Error
Requires	Weakness Base	441	Unintended Proxy/Intermediary
Requires	Weakness Base	642	External Control of User State Data
Requires	Weakness Base	613	Insufficient Session Expiration
ChildOf	View	629
ChildOf	View	635
PeerOf	Weakness Base	79	Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))

Source Taxonomies

PLOVER - Cross-Site Request Forgery (CSRF)

Applicable Platforms

All

Time of Introduction

Architecture and Design

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
62	Cross Site Request Forgery (aka Session Riding)

Page Last Updated: April 22, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us