SV.CSRF.ORIGIN

This error identifies state changing requests handlers that do not validate requests are same origin.

Vulnerability and risk

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

Standard HTTP headers (Origin, Referer) should be checked and compared to ensure the request complies with the same-origin policy. If the source origin, as identified by the Origin or Referer headers, doesn’t match the expected origin, we have a cross-origin request.

Code examples

Vulnerable code example 1

Copy
    void doPost(HttpServletRequest req, HttpServletResponse resp) {
        String action = req.getParameter("action");
        String id = req.getParameter("id");
    
       if("update".equals(action)){
           updateUser(id, req);
       }
       //...
   }

   void updateUser(String userid, HttpServletRequest req) {
       //...
   }

SV.CSRF.ORIGIN is reported on line 6: ‘req’ is never validated to be a same origin request. An attacker could cause a user’s browser to make a request on user’s behalf originating from a malicious site.

Fixed code example 1

Copy
    void doPost(HttpServletRequest req, HttpServletResponse resp) { 
        String origin = req.getHeader("Origin")
        if(isSameOriginRequest(origin)) {
            String action = req.getParameter("action");
           String id = req.getParameter("id");

           if ("update".equals(action)) {
               updateUser(id, req);
           }
       }
       //...
   }

   void updateUser(String userid, HttpServletRequest req) {
       //...
   }

This example checks standard headers for the source of the request (by inspecting the Origin header) and comparing to some expected value. If the values match, the request is same-origin.

Security training

Application security training materials provided by Secure Code Warrior.

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.