HIGH CWE-352 Authentication

CWE-352 in APIs

CWE ID
CWE-352
Category
Input Validation
Severity
HIGH
Short Name
CSRF
Scan for CWE-352

What is CWE-352

CWE-352, known as Cross-Site Request Forgery (CSRF), is a web application weakness where an attacker tricks a victim into executing unwanted actions on a web application in which they're authenticated. The attacker crafts a malicious request and forces the victim's browser to send it to the target application, exploiting the victim's existing session cookies or authentication tokens.

The weakness manifests when applications rely solely on client-side cookies or session identifiers for authentication without validating that the request originated from the legitimate user interface. Since browsers automatically include cookies with requests to a domain, an attacker can create a malicious page that makes requests to the target application using the victim's credentials.

CWE-352 in API Contexts

In modern API architectures, CSRF vulnerabilities take different forms than traditional web applications. While APIs don't use browser-based sessions in the same way, they remain vulnerable through several mechanisms:

  • State-changing endpoints: APIs that perform actions (POST, PUT, DELETE) without proper anti-CSRF tokens
  • Session-based authentication: APIs using cookie-based sessions instead of token-based authentication
  • Missing SameSite cookie attributes: Cookies that can be sent in cross-site contexts
  • Unsafe consumption patterns: APIs that process requests from untrusted origins without validation

RESTful APIs are particularly vulnerable when they accept cookie-based authentication for state-changing operations. An attacker can create a malicious website that makes POST requests to an API endpoint, and if the victim is authenticated (cookies included), the API will process the request as if it came from the legitimate user.

Detection

Detecting CSRF vulnerabilities in APIs requires both automated scanning and manual testing approaches. middleBrick's API security scanner includes comprehensive CSRF detection through multiple techniques:

Automated CSRF Testing

middlebrick scan https://api.example.com/v1/users

The scanner tests for:

  • State-changing endpoints without anti-CSRF tokens
  • Cookie-based authentication on POST/PUT/DELETE endpoints
  • Missing SameSite cookie attributes
  • Unsafe consumption of cross-origin requests

Manual Testing Checklist

  • Test POST/PUT/DELETE endpoints with cookie authentication
  • Attempt state changes from external domains
  • Check for anti-CSRF tokens in API responses
  • Verify SameSite cookie attributes in response headers
  • Test with browser-based tools (Postman, curl) from different origins

Code Review Indicators

// Vulnerable pattern - no CSRF protection
app.post('/api/v1/users', (req, res) => {
    // Process user creation using session cookies
    createUser(req.body, req.session.userId);
});

Remediation

Effective CSRF protection in APIs requires a defense-in-depth approach. Here are proven remediation strategies with code examples:

1. Implement Anti-CSRF Tokens

The most robust defense is requiring a unique token for state-changing operations:

// Generate CSRF token middleware
const csrf = require('csurf');
const csrfProtection = csrf({ cookie: true });

// Protected endpoint
app.post('/api/v1/users', csrfProtection, (req, res) => {
    // req.csrfToken() is automatically validated
    createUser(req.body);
    res.json({ success: true });
});

2. Use SameSite Cookie Attributes

Prevent cookies from being sent in cross-site requests:

// Set SameSite cookies
res.cookie('session', sessionId, {
    httpOnly: true,
    secure: true,
    sameSite: 'Strict' // or 'Lax' for GET requests
});

3. Adopt Token-Based Authentication

Replace cookie-based sessions with JWT or API keys:

// JWT-based authentication (stateless)
const jwt = require('jsonwebtoken');

// Protected endpoint
app.post('/api/v1/users', authenticateJWT, (req, res) => {
    if (!req.user) {
        return res.status(401).json({ error: 'Unauthorized' });
    }
    createUser(req.body);
    res.json({ success: true });
});

4. Implement CORS Policies

Restrict which origins can access your API:

const cors = require('cors');

const corsOptions = {
    origin: ['https://yourdomain.com'], // Allow only trusted origins
    methods: ['GET', 'POST', 'PUT', 'DELETE'],
    credentials: true,
    allowedHeaders: ['Content-Type', 'Authorization']
};

app.use(cors(corsOptions));

5. Validate Request Origin

Check the Origin and Referer headers:

function validateOrigin(req, res, next) {
    const allowedOrigins = ['https://yourdomain.com'];
    const origin = req.get('origin') || req.get('referer');
    
    if (allowedOrigins.includes(origin)) {
        return next();
    }
    
    res.status(403).json({ error: 'Forbidden' });
}
Detect CWE-352 in your APIs View all CWEs

Frequently Asked Questions

How does CSRF differ from XSS in API security?
CSRF tricks the victim's browser into making unwanted requests using their authenticated session, while XSS injects malicious scripts that execute in the victim's browser. CSRF exploits trust in the user's authentication state, whereas XSS exploits trust in the content served by the application. Both can be devastating, but they require different defensive approaches.
Can middleBrick detect CSRF vulnerabilities in my API?
Yes, middleBrick's API security scanner includes comprehensive CSRF detection as part of its 12 security checks. It tests for state-changing endpoints without anti-CSRF tokens, cookie-based authentication vulnerabilities, missing SameSite attributes, and unsafe consumption patterns. The scanner provides specific findings with severity levels and remediation guidance to help you fix these vulnerabilities.

Related Pages

CWE-352 in AxumLearn how CWE-352 CSRF vulnerabilities manifest in Axum applications and how to detect and fix them using Axum's middlewCWE-352 in ActixLearn how CWE-352 CSRF vulnerabilities manifest in Actix applications, how to detect them with middleBrick's scanner, anCWE-352 in AdonisjsCWE-352 CSRF vulnerabilities in Adonisjs applications: detection, prevention, and remediation using framework-specific sCWE-352 in AspnetLearn how CWE-352 CSRF vulnerabilities manifest in ASP.NET applications and how to detect and remediate them using nativCWE-352 in GoLearn how CWE-352 (CSRF) manifests in Go applications, how to detect it with code review and middleBrick scans, and how CWE-352 in CsharpLearn how CWE-352 (CSRF) manifests in C# ASP.NET Core APIs, how middleBrick detects it via black-box scanning, and C#-spCWE-352 in JavascriptUnderstand CWE-352 (CSRF) in JavaScript APIs: attack vectors, detection techniques, and code-level fixes. Learn how middCWE-352 in JavaLearn how CWE-352 appears in Java APIs, how to detect it with middleBrick, and how to fix it with Java-specific code exaCWE-352 in Adonisjs (Typescript)Explore CWE-352 in AdonisJS with TypeScript: how CSRF risks arise and concrete TypeScript fixes using middleware, @csrf,CWE-352 in Aspnet (Csharp)CWE-352 CSRF in ASP.NET with C#: causes and C#-specific fixes with code examples for MVC controllers and Razor Pages.CWE-352 in Actix (Rust)CWE-352 in Actix with Rust: causes and remediation with code examples for secure cookie and CSRF token validation.CWE-352 in Axum (Rust)Explore CWE 352 (CSRF) in Axum with Rust, understand how cookie-based sessions expose risk, and apply concrete Rust-spec