Rule Definition
XSRF takes advantage the fact that most web apps allow attackers to predict all the details of a particular action. Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.
Remediation
Ensure you have not disable XSRF module in Angular Http Module
Violation Code Sample
@NgModule({
declarations: [
AppComponent,
ArtistSearchComponent
],
imports: [
BrowserModule,
FormsModule,
HttpClientModule,
HttpClientXsrfModule.disable(),
HttpClientXsrfModule.withOptions({
cookieName: 'My-Xsrf-Cookie',
headerName: 'My-Xsrf-Header',
}),
],
providers: [
HttpErrorHandler,
MessageService
],
bootstrap: [AppComponent]
})
export class AppModule { }
Fixed Code Sample
@NgModule({
declarations: [
AppComponent,
ArtistSearchComponent
],
imports: [
BrowserModule,
FormsModule,
HttpClientModule,
HttpClientXsrfModule.withOptions({
cookieName: 'My-Xsrf-Cookie',
headerName: 'My-Xsrf-Header',
}),
],
providers: [
HttpErrorHandler,
MessageService
],
bootstrap: [AppComponent]
})
export class AppModule { }
Reference
https://angular.io/api/common/http/HttpClientXsrfModule
https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)
http://cwe.mitre.org/data/definitions/352.html
Related Technologies
Technical Criterion
Secure Coding - Input Validation
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.