Skip to content

Commit 516df3b

Browse files
Jami CogswellJami Cogswell
Jami Cogswell
authored and
Jami Cogswell
committed
Java: qhelp wording updates
1 parent 0071e1a commit 516df3b

File tree

1 file changed

+9
-8
lines changed

1 file changed

+9
-8
lines changed

java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.qhelp

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -3,17 +3,18 @@
33

44
<overview>
55
<p>When you set up a web server to receive a request from a client without any mechanism
6-
for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can
7-
trick a client into making an unintended request to the web server that will be treated as
8-
an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can
9-
result in exposure of data or unintended code execution.</p>
6+
for verifying that it was intentionally sent, then it is vulnerable to a Cross Site Request
7+
Forgery (CSRF) attack. An attacker can trick a client into making an unintended request
8+
to the web server that will be treated as an authentic request. This can be done via a URL,
9+
image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.</p>
1010
</overview>
1111

1212
<recommendation>
13-
<p>Make sure any requests that change application state are protected from Cross Site Request Forgery (CSRF).
14-
Some application frameworks provide default CSRF protection for unsafe HTTP request methods (such as
15-
<code>POST</code>) which may change the state of the application. Safe HTTP request methods (such as
16-
<code>GET</code>) should be read-only and should not be used for actions that change application state.</p>
13+
<p>Make sure any requests that change application state are protected from CSRF. Some application
14+
frameworks provide default CSRF protection for unsafe HTTP request methods (such as <code>POST</code>)
15+
which may change the state of the application. Safe HTTP request methods (such as <code>GET</code>)
16+
should only perform read-only operations and should not be used for actions that change application
17+
state.</p>
1718

1819
<p>This query currently supports the Spring and Stapler web frameworks. Spring provides default CSRF protection
1920
for all unsafe HTTP methods. Stapler provides default CSRF protection for the <code>POST</code> method.</p>

0 commit comments

Comments
 (0)