Q
Detector Library
Kotlin detectors (23/23)
Insecure cookieCookie Without Http Only FlagImproper AuthenticationCryptographic key generatorWeak pseudorandom number generationPath traversalCross-site scriptingReusing Nonce and key in encryptionCode InjectionServer-side request forgeryCross-site request forgeryLog injectionHardcoded credentialsEnabling and overriding debug featureNull Pointer DereferenceInsecure hashingMissing encryption of sensitive dataImproper verification of IntentInsecure connection using unencrypted protocolOS Command InjectionInsecure Bean ValidationSQL injectionIncorrect Type Conversion
Cross-site request forgery High
Insecure configuration can lead to a cross-site request forgery (CSRF) vulnerability. This can enable an attacker to trick end users into performing unwanted actions while authenticated.
Detector ID
kotlin/cross-site-request-forgery@v1.0
Category
Common Weakness Enumeration (CWE) 
Noncompliant example
1// Noncompliant: CSRF protection disabled
2@Configuration
3@EnableWebSecurity
4class WebSecurityConfig : WebSecurityConfigurerAdapter() {
5 @Throws(Exception::class)
6 protected fun configure(http: HttpSecurity) {
7 http {
8 csrf().disable()
9 // Other security configurations...
10 }
11 }
12 }
Compliant example
1// Compliant: By default CSRF protection is enabled
2@Configuration
3@EnableWebSecurity
4class WebSecurityConfig : WebSecurityConfigurerAdapter() {
5
6 @Throws(Exception::class)
7 override fun configure(http: HttpSecurity) {
8 http {
9 csrf { }
10 // Other security configurations...
11 }
12 }
13}