codeql-queries icon indicating copy to clipboard operation
codeql-queries copied to clipboard

Published 20 hours ago verified publisher icon advanced-security

CSRF validation missing - enhanced rule forked from main CodeQL queries

Open aegilops opened this issue 2 years ago • 1 comments
trafficstars

Improvement from existing cs/web/missing-token-validation rule.

I also don't want to take the same shortcut checking that at least one other HttpPost is validated before flagging those that aren't, since that leads to loads of FNs.

I plan to make one version that is just an update of the original, adding AspNetCore, but this is an attempt to be much more thorough on spotting anti-CSRF devices.

aegilops avatar Jun 13 '23 15:06 aegilops

This repo has been merged with the Security Lab one into the new community-codeql-packs repo which we plan to make public and promote soon. If you would like this PR to be applied to the new repo, please open a new PR there so it can get merged in the new QLPacks.

pwntester avatar Sep 21 '23 12:09 pwntester