Investigate vulnerability: Potential Cross-Site Request Forgery (CSRF)

Issue created from vulnerability 2694

Description:

The application failed to protect against Cross-Site Request Forgery (CSRF) due to not including the [ValidateAntiForgeryToken] attribute on an HTTP method handler that could change user state (usually in the form of POST or PUT methods).

The vulnerability can be exploited by an adversary creating a link or form on a third party site and tricking an authenticated victim to access them.

Add the [ValidateAntiForgeryToken] to all methods which take in user data and change user state (such as updating a database with a new value). This is especially true for functionality such as updating passwords or other security sensitive functions.

Alternatively, applications can enable a global AutoValidateAntiforgeryTokenAttribute filter.

For more information on ValidateAntiForgeryToken and other CSRF protections in .NET see the following URL: https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery

Additionally, consider setting all session cookies to have the SameSite=Strict attribute. It should be noted that this may impact usability when sharing links across other mediums. It is recommended that a two cookie based approach is taken, as outlined in the Top level navigations section of the SameSite RFC.

For more information on CSRF see OWASP's guide: https://owasp.org/www-community/attacks/csrf

• Severity: medium
• Location: backend/Controllers/ProjectsController.cs:36

Identifiers:

• A5:2017 - Broken Access Control
• A01:2021 - Broken Access Control
• security_code_scan.SCS0016-1
• SCS0016
• CWE-352

Scanner:

• Name: Semgrep