SYM_JSTS_0066 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Cross-Site Request Forgery (CSRF)
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Your Express application does not appear to use CSRF protection middleware like csurf or csrf. Without CSRF validation, your app is vulnerable to malicious requests from other sites that can trick users into performing unwanted actions.
Impact
If exploited, attackers could perform actions on behalf of authenticated users without their consent, such as changing account information or making purchases. This can lead to compromised user accounts, data loss, and potential financial or reputational damage to your application.