Sobelow

Sobelow v0.11.0 Sobelow.Config.CSRFRoute View Source

Cross-Site Request Forgery

In a Cross-Site Request Forgery (CSRF) attack, an untrusted application can cause a user's browser to submit requests or perform actions on the user's behalf.

Read more about CSRF here: https://www.owasp.org/index.php/Cross-SiteRequest_Forgery(CSRF)

This type of CSRF is flagged by sobelow when state-changing routes share an action with GET-based routes. For example:

get "/users", UserController, :new
post "/users", UserController, :new

In this instance, it may be possible to trigger the POST functionality with a GET request and query parameters.

CSRF checks can be ignored with the following command:

$ mix sobelow -i Config.CSRFRoute

Link to this section Summary

Functions

combine_scopes(scopes)
details()
id()
route_findings(scope, finding)
rule()
run(router)

Link to this section Functions

Link to this function

combine_scopes(scopes) View Source

Link to this function

details() View Source

Link to this function

id() View Source

Link to this function

route_findings(scope, finding) View Source

Link to this function

rule() View Source

Link to this function

run(router) View Source

Keyboard Shortcuts
×
c
Toggle sidebar
n
Toggle night mode
/ or s
Focus search bar
?
Bring up this help dialog