scala.play.security.conf-csrf-headers-bypass.conf-csrf-headers-bypass
semgrepAuthor
unknown
Download Count*
License
Possibly bypassable CSRF configuration found. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. Make sure that Content-Type black list is configured and CORS filter is turned on.
Run Locally
Run in CI
Defintion
rules:
- id: conf-csrf-headers-bypass
patterns:
- pattern-either:
- pattern: X-Requested-With = "*"
- pattern: Csrf-Token = "..."
- pattern-inside: |
bypassHeaders {...
...
...}
- pattern-not-inside: >
{...
...
...blackList = [..."application/x-www-form-urlencoded"..."multipart/form-data"..."text/plain"...]
...
...}
- pattern-not-inside: >
{...
...
...blackList = [..."application/x-www-form-urlencoded"..."text/plain"..."multipart/form-data"...]
...
...}
- pattern-not-inside: >
{...
...
...blackList = [..."multipart/form-data"..."application/x-www-form-urlencoded"..."text/plain"...]
...
...}
- pattern-not-inside: >
{...
...
...blackList = [..."multipart/form-data"..."text/plain"..."application/x-www-form-urlencoded"...]
...
...}
- pattern-not-inside: >
{...
...
...blackList = [..."text/plain"..."application/x-www-form-urlencoded"..."multipart/form-data"...]
...
...}
- pattern-not-inside: >
{...
...
...blackList = [..."text/plain"..."multipart/form-data"..."application/x-www-form-urlencoded"...]
...
...}
message: Possibly bypassable CSRF configuration found. CSRF is an attack that
forces an end user to execute unwanted actions on a web application in
which they’re currently authenticated. Make sure that Content-Type black
list is configured and CORS filter is turned on.
languages:
- generic
severity: ERROR
paths:
include:
- "*.conf"
metadata:
references:
- https://www.playframework.com/documentation/2.8.x/Migration25#CSRF-changes
- https://owasp.org/www-community/attacks/csrf
cwe:
- "CWE-352: Cross-Site Request Forgery (CSRF)"
owasp:
- A01:2021 - Broken Access Control
category: security
technology:
- scala
- play
confidence: MEDIUM
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site Request Forgery (CSRF)
Examples
conf-csrf-headers-bypass.conf
play.filters.csrf.header.bypassHeaders {
#ruleid: conf-csrf-headers-bypass
X-Requested-With = "*"
# ruleid: conf-csrf-headers-bypass
Csrf-Token = "nocheck"
}
# not enough blacklisted types
play.filters.csrf {
header {
bypassHeaders {
# ruleid: conf-csrf-headers-bypass
X-Requested-With = "*"
# ruleid: conf-csrf-headers-bypass
Csrf-Token = "nocheck"
}
protectHeaders = null
}
bypassCorsTrustedOrigins = false
method {
whiteList = []
blackList = ["POST"]
}
contentType.blackList = ["text/plain", "multipart/form-data", "something/weird"]
}
# safe configuration
play.filters.csrf {
header {
bypassHeaders {
#ok: conf-csrf-headers-bypass
X-Requested-With = "*"
#ok: conf-csrf-headers-bypass
Csrf-Token = "nocheck"
}
protectHeaders = null
}
bypassCorsTrustedOrigins = false
method {
whiteList = []
blackList = ["POST"]
}
contentType.blackList = ["application/x-www-form-urlencoded", "multipart/form-data", "text/plain"]
}
# safe configuration
play.filters.csrf {
header {
bypassHeaders {
#ok: conf-csrf-headers-bypass
X-Requested-With = "*"
#ok: conf-csrf-headers-bypass
Csrf-Token = "nocheck"
}
protectHeaders = null
}
bypassCorsTrustedOrigins = false
method {
whiteList = []
blackList = ["POST"]
}
contentType.blackList = [
"application/x-www-form-urlencoded",
"multipart/form-data",
"text/plain"
]
}Short Link: https://sg.run/4DEE