Do not detect HttpDelete or HttpPut
gitlab-org/security-products/analyzers/semgrep!150 (closed)
HttpPost" is not the only ASP.NET application that requires CSRF protection. It seems that the countermeasure is missing.
This code is detected as vulnerable by Semgrep C# analyzer.
[HttpPost]
public void Post() {}
However, this code is not detected.
[HttpDelete]
public void Delete() {}
A list of HTTP methods to be detected.
-
HttpPost
- OK -
HttpDelete
- NG -
HttpPatch
- NG -
HttpPut
- NG
Edited by Tomo Masakura