Missing Cross-Site Request Forgery (CSRF) configuration

• Rule ID: php_symfony_csrf_protection_disabled
• Languages: php
• Source: csrf_protection_disabled.yml

Description

Your application is vulnerable when Cross-Site Request Forgery (CSRF) protection is disabled. This weakness can allow attackers to deceive users into executing actions they did not intend, potentially compromising security or data integrity.

Remediations

• Do ensure that CSRF proteection is enabled in your web application's configuration settings. This prevents attackers from exploiting your web application by making unauthorized requests on behalf of the user.

  use Symfony\Config\FrameworkConfig;
  
  return static function (FrameworkConfig $framework): void {
      $framework->csrfProtection()
          ->enabled(true)
      ;
  };

References

• Symfony CSRF guide

Associated CWE

• CWE-352: Cross-Site Request Forgery (CSRF)

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_symfony_csrf_protection_disabled

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_symfony_csrf_protection_disabled