Go net http form without gorilla csrf protection
go-net-http-form-without-gorilla-csrf-protection
go-net-http-form-without-gorilla-csrf-protection
The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. This vulnerability can be prevented by getting the CSRF token from the request and including it in a response header by including $W.Header.Set(X-CSRF-Token", csrf.Token($R)) in the function before calling $W.Write(), or by wrapping the $FUNC call with csrf.Protect(authKey)($FUNC) and using a key retrieved for instance from an environment variable.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
- A05:2017 - Broken Access Control
Go net http form without gorilla csrf protection
go-net-http-form-without-gorilla-csrf-protection
go-net-http-form-without-gorilla-csrf-protection
The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. This vulnerability can be prevented by getting the CSRF token from the request and including it in a response header by including $W.Header.Set(X-CSRF-Token", csrf.Token($R)) in the function before calling $W.Write(), or by wrapping the $FUNC call with csrf.Protect(authKey)($FUNC) and using a key retrieved for instance from an environment variable.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
- A05:2017 - Broken Access Control