Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Aws-lambda
- Gin
- Gorilla
- Gorm
- Grpc
- Jwt-go
- Lang
- Net
- Active-debug-code
- Command-injection
- Csrf
- Gorilla-csrf
- Go-net-http-form-without-gorilla-csrf-protection
- Go-net-http-handlefunc-without-gorilla-csrf-protection
- Go-net-http-route-without-gorilla-csrf-protection
- Dos
- Nosql
- Path-traversal
- Sql
- Ssrf
- Xss
- Xxe
- Otto
- Secrets
- Template
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Go net http handlefunc without gorilla csrf protection
The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. This vulnerability can be prevented by getting the CSRF token from the request and including it in a response header by including $W.Header.Set(X-CSRF-Token", csrf.Token($R))
in the function before calling $W.Write()
, or by wrapping the $FUNC
call with csrf.Protect(authKey)($FUNC)
and using a key retrieved for instance from an environment variable.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
- A05:2017 - Broken Access Control