SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-352 Cross-Site Request Forgery

Coverage: 6 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged state-changing requests that appear to rely on cookies/session auth but lack CSRF protections.

Why it matters

CSRF can let attackers perform actions on behalf of a user.

Safer examples

1) Use CSRF tokens for cookie-authenticated sessions

Use your framework's CSRF middleware and rotate tokens appropriately.

2) Use SameSite cookies (defense-in-depth)

Set SameSite=Lax or Strict where possible (see S02 / CWE-614).

3) Prefer "double-submit" or header-based auth for APIs

For pure APIs, prefer Authorization headers (bearer tokens) and avoid browser-sent cookies, when feasible.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.