CSRF vulnerabilities occur when attackers can trick a user to perform sensitive authenticated operations on a web application without his consent.
<body onload="document.forms[0].submit()"> <form> <form action="http://mybank.com/account/transfer_money" method="POST"> <input type="hidden" name="accountNo" value="attacker_account_123456"/> <input type="hidden" name="amount" value="10000"/> <input type="submit" value="Steal money"/> </form>
If an user visits the attacker's website which contains the above malicious code, his bank account will be debited without his consent and notice.
There is a risk if you answered yes to any of those questions.
GET
which are designed to be
used only for information retrieval. Spring Security provides by default a protection against CSRF attacks.
@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); // Sensitive } }
With Spring Security CSRF protection is enabled by default, do not disable it.
@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // http.csrf().disable(); // Compliant } }