GraphQL Cross-Site Request Forgery

medium Web App Scanning Plugin ID 112920

Language:

Synopsis

GraphQL Cross-Site Request Forgery

Description

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. GraphQL servers often allow other `Content-Type` header values than `application/json`, and GET based requests for both queries and mutations. By leveraging this, an attacker could achieve a Cross-Site Request Forgery (CSRF) attack and make an authenticated user perform arbitrary actions on the target GraphQL endpoint.

Solution

The application should be updated to provide at least anti-CSRF tokens management on GraphQL endpoints and set the `SameSite` attribute to `Lax` on authentication cookies. Avoid using GET method in requests performing changing operations on the target application.

See Also

https://blog.doyensec.com/2021/05/20/graphql-csrf.html

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Plugin Details

Severity: Medium

ID: 112920

Type: remote

Family: Cross Site Request Forgery

Published: 9/26/2022

Updated: 9/26/2022

Scan Template: api, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS Score Source: Tenable

Reference Information

CWE: 352

OWASP: 2010-A5, 2013-A8, 2021-A1

WASC: Cross-Site Request Forgery

CAPEC: 111, 462, 467, 62

DISA STIG: APSC-DV-002500

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.12.6.1, 27001-A.14.2.5

NIST: sp800_53-SI-10(5)

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-4.2.2

PCI-DSS: 3.2-6.5.9