CWE-352 Cross-Site Request Forgery
What this means
SiteShadow flagged state-changing requests that appear to rely on cookies/session auth but lack CSRF protections.
Why it matters
CSRF can let attackers perform actions on behalf of a user.
- A victim can be tricked into clicking a link or loading a page that triggers a "hidden" request.
- Impact includes password changes, email changes, purchases, or data deletion — depending on the endpoint.
Safer examples
1) Use CSRF tokens for cookie-authenticated sessions
Use your framework's CSRF middleware and rotate tokens appropriately.
2) Use SameSite cookies (defense-in-depth)
Set SameSite=Lax or Strict where possible (see S02 / CWE-614).
3) Prefer "double-submit" or header-based auth for APIs
For pure APIs, prefer Authorization headers (bearer tokens) and avoid browser-sent cookies, when feasible.
How SiteShadow detects it (high level)
- Identifies cookie/session-auth patterns and flags state-changing routes missing CSRF middleware/token checks.
- Prioritizes endpoints that modify user data, permissions, billing, or secrets.
References
- CWE-352: https://cwe.mitre.org/data/definitions/352.html
---