Description

This detector identifies axios HTTP requests in TypeScript/JavaScript code that do not implement proper CSRF (Cross-Site Request Forgery) token protection. Manual CSRF token handling vulnerabilities occur when applications fail to include anti-CSRF tokens in state-changing HTTP requests, making them susceptible to CSRF attacks where malicious websites can perform unauthorized actions on behalf of authenticated users.

Detection Strategy

• Scans TypeScript and JavaScript files for axios HTTP request calls (including aliased axios imports)

• Identifies axios requests that perform state-changing operations (POST, PUT, PATCH, DELETE methods)

• Reports vulnerabilities when axios requests lack proper CSRF token implementation in headers, request body, or configuration

• Triggers when requests to external endpoints or form submissions don't include anti-CSRF tokens like X-CSRF-Token, _token, or csrfmiddlewaretoken

• Flags axios calls that don't use CSRF protection mechanisms such as custom headers with tokens or request interceptors that add CSRF tokens

Vulnerable code example

import axios from 'axios';

// VULNERABLE: CSRF token extracted from URL can be manipulated by attackers
const token = window.location.search.split('csrfToken=')[1];
axios.post('/api/order', {}, {
    headers: {
        'X-CSRF-Token': token  // Attacker-controlled token bypasses CSRF protection
    }...

✅ Secure code example

import axios from 'axios';

// SECURE: CSRF token from meta tag set by server, not URL parameters
const token = document.querySelector('meta[name="csrf-token"]')?.getAttribute('content');
axios.post('/api/order', {}, {
    headers: {
        'X-CSRF-Token': token  // Server-controlled token provides real CSRF protection
    }...