Metastatic.Analysis.BusinessLogic.MissingCSRFProtection (Metastatic v0.10.4)

View Source

Detects state-changing endpoints without CSRF protection (CWE-352).

This analyzer identifies code patterns where state-changing HTTP operations (POST, PUT, PATCH, DELETE) are handled without CSRF token validation.

Cross-Language Applicability

CSRF is a universal web vulnerability:

  • Elixir/Phoenix: Route without :protect_from_forgery plug
  • Python/Django: View without @csrf_protect or middleware
  • JavaScript/Express: Route without csurf middleware
  • Ruby/Rails: Controller without protect_from_forgery
  • Java/Spring: Without Spring Security CSRF protection
  • C#/ASP.NET: Without [ValidateAntiForgeryToken]

Problem

Without CSRF protection:

  • Attackers can trick users into performing unwanted actions
  • State changes can be initiated from malicious sites
  • User accounts can be compromised through social engineering

Detection Strategy

Detects patterns where:

  1. Functions handle state-changing HTTP methods (POST, PUT, PATCH, DELETE)
  2. No CSRF token validation is apparent
  3. The operation modifies state (database, session, etc.)