保護DataHogo
Security Encyclopedia/Auth Best Practices
mediumCWE-778A01:2021

No Confirmation for Critical Actions

Destructive or irreversible actions (delete account, transfer funds, change email) without a confirmation step are vulnerable to CSRF and accidental clicks.

How It Works

A CSRF attack tricks a logged-in user's browser into making a request to your app. Without a confirmation step requiring re-authentication or a CSRF token, a malicious link can delete the user's account or drain their balance. Confirmation also prevents accidental destructive actions.

Vulnerable Code
// BAD: account deletion with no confirmation or re-auth
export async function DELETE(req: Request) {
  const { userId } = await getSession(req);
  await db.users.delete({ id: userId }); // one click = account gone
  return Response.json({ deleted: true });
}
Secure Code
// GOOD: require password re-entry for destructive actions
export async function DELETE(req: Request) {
  const { userId } = await getSession(req);
  const { password } = await req.json();
  const user = await db.users.findById(userId);
  if (!await bcrypt.compare(password, user.passwordHash))
    return Response.json({ error: 'Incorrect password' }, { status: 403 });
  await db.users.delete({ id: userId });
  return Response.json({ deleted: true });
}

Real-World Example

Multiple apps have had account deletion CSRF vulnerabilities reported on HackerOne where a malicious link sent to a logged-in user could trigger immediate account deletion with one GET request.

How to Prevent It

  • Require password confirmation for account deletion, email changes, and payment method changes
  • Use POST with CSRF tokens for all state-changing operations — never GET for destructive actions
  • Add a time delay (e.g., 7-day grace period) for account deletion with a cancellation link
  • Show a clear confirmation modal with the consequences spelled out before irreversible actions

Affected Technologies

javascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Password Policy

medium

Accepting any password — including '123' or 'a' — makes your user accounts trivially vulnerable to credential stuffing and brute force attacks.

CWE-521A07:2021

No Rate Limit on Login

medium

A login endpoint without rate limiting can be brute-forced thousands of times per second until a valid password is found.

CWE-307A07:2021

No MFA/2FA

low

Without multi-factor authentication, a stolen or guessed password is all it takes to fully compromise an account.

CWE-308A07:2021

No Email Verification

medium

Allowing unverified email accounts lets attackers register with someone else's email address, potentially locking them out or impersonating them.

CWE-358A07:2021