CSRF vulnerabilities occur when attackers can trick a user to perform sensitive authenticated operations on a web application without his consent.
<body onload="document.forms[0].submit()"> <form> <form action="http://mybank.com/account/transfer_money" method="POST"> <input type="hidden" name="accountNo" value="attacker_account_123456"/> <input type="hidden" name="amount" value="10000"/> <input type="submit" value="Steal money"/> </form>
If an user visits the attacker's website which contains the above malicious code, his bank account will be debited without his consent and notice.
You are at risk if you answered yes to any of those questions.
GET
which are designed to be
used only for information retrieval. Spring Security provides by default a protection against CSRF attacks.
@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); // Sensitive } }
With Spring Security CSRF protection is enabled by default, do not disable it.
@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // http.csrf().disable(); // Compliant } }