CSRF vulnerabilities occur when attackers can trick a user to perform sensitive authenticated operations on a web application without his consent.

<body onload="document.forms[0].submit()">
<form>
<form action="http://mybank.com/account/transfer_money" method="POST">
    <input type="hidden" name="accountNo" value="attacker_account_123456"/>
    <input type="hidden" name="amount" value="10000"/>
    <input type="submit" value="Steal money"/>
</form>

If an user visits the attacker's website which contains the above malicious code, his bank account will be debited without his consent and notice.

Ask Yourself Whether

• There exist sensitive operations on the web application that can be performed when the user is authenticated.
• The state / resources of the web application could be modified by doing HTTP POST or HTTP DELETE requests for example.
• The web application is not only a public API designed to be requested by external websites.

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

• Protection against CSRF attacks is strongly recommended:
  • to be activated by default for all unsafe HTTP methods.
  • implemented, for example, with an unguessable CSRF token
• Of course all sensitive operations should not be performed with safe HTTP methods like GET which are designed to be used only for information retrieval.

Sensitive Code Example

For a Django application, the code is sensitive when,

• django.middleware.csrf.CsrfViewMiddleware is not used in the Django settings:

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
] # Sensitive: django.middleware.csrf.CsrfViewMiddleware is missing

• the CSRF protection is disabled on a view:

@csrf_exempt # Sensitive
def example(request):
    return HttpResponse("default")

For a Flask application, the code is sensitive when,

• the WTF_CSRF_ENABLED setting is set to false:

app = Flask(__name__)
app.config['WTF_CSRF_ENABLED'] = False # Sensitive

• the application doesn't use the CSRFProtect module:

app = Flask(__name__) # Sensitive: CSRFProtect is missing

@app.route('/')
def hello_world():
    return 'Hello, World!'

• the CSRF protection is disabled on a view:

app = Flask(__name__)
csrf = CSRFProtect()
csrf.init_app(app)

@app.route('/example/', methods=['POST'])
@csrf.exempt # Sensitive
def example():
    return 'example '

• the CSRF protection is disabled on a form:

class unprotectedForm(FlaskForm):
    class Meta:
        csrf = False # Sensitive

    name = TextField('name')
    submit = SubmitField('submit')

Compliant Solution

For a Django application,

• it is recommended to protect all the views with django.middleware.csrf.CsrfViewMiddleware:

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware', # Compliant
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

• and to not disable the CSRF protection on specific views:

def example(request): # Compliant
    return HttpResponse("default")

For a Flask application,

• the CSRFProtect module should be used (and not disabled further with WTF_CSRF_ENABLED set to false):

app = Flask(__name__)
csrf = CSRFProtect()
csrf.init_app(app) # Compliant

• and it is recommended to not disable the CSRF protection on specific views or forms:

@app.route('/example/', methods=['POST']) # Compliant
def example():
    return 'example '

class unprotectedForm(FlaskForm):
    class Meta:
        csrf = True # Compliant

    name = TextField('name')
    submit = SubmitField('submit')

See

• MITRE, CWE-352 - Cross-Site Request Forgery (CSRF)
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• OWASP: Cross-Site Request Forgery
• SANS Top 25 - Insecure Interaction Between Components