Java Csrf And Xss Protection Disabled
Description
Detects when CSRF (Cross-Site Request Forgery) protections are explicitly disabled in Java applications. When CSRF protections are disabled, attackers can trick authenticated users into performing unwanted actions on the application, potentially leading to unauthorized state changes.
Detection Strategy
• Look for method calls containing 'csrf' in their name or context
• Check if these CSRF-related methods are followed by calls to 'disable' or 'ignoringAntMatchers'
• Flag configurations where CSRF protection features are explicitly turned off through these method calls
Vulnerable code example
import org.springframework.security.config.web.server.ServerHttpSecurity;
public class SecurityConfig {
public SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) {
http.csrf().ignoringAntMatchers("/route/"); // Vulnerable: Disables CSRF for specific route
http.csrf().disable(); // Vulnerable: Completely disables CSRF protection
return http.build();
}...✅ Secure code example
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
@Configuration...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.