Skip to content

GET based CSRF

Description

CSRF (Cross-Site Request Forgery) occurs when an external website has the ability to make API calls impersonating a user by visiting the website while being authenticated to your API.

Allowing API calls through GET requests can lead to CSRF attacks because cookies are added automatically to GET requests made by the browser.

Note that CSRF is an attack vector that specifically target requests where the browser automatically provides authentication (typically through Cookie or Basic Authentication).

Especially, if your application is attaching the credentials via an Authorization header then the browser can't automatically authenticate the requests, and CSRF isn't possible.

Remediation

Forbid API calls through GET requests to prevent CSRF attacks.

GraphQL Specific

Apollo To mitigate GET based CSRF vulnerabilities in the Apollo framework engine, ensure that state-changing actions are only performed via POST requests and not GET requests. Implement anti-CSRF tokens in forms and verify them on the server side for each POST request. Additionally, consider using the 'SameSite' attribute for cookies to restrict their sending to only first-party contexts. It's also advisable to check the 'Referer' header to validate that requests are coming from your own domain. For sensitive actions, re-authentication of the user may be appropriate.
Yoga To mitigate GET based CSRF (Cross-Site Request Forgery) in the Yoga framework engine, ensure that state-changing actions are only performed via POST requests and not GET requests. Implement anti-CSRF tokens in forms and verify them on the server side for each POST request. Additionally, consider using the SameSite cookie attribute to control cross-origin requests and ensure that sensitive actions require re-authentication or additional user confirmation.
Awsappsync To mitigate GET based CSRF vulnerabilities in AWS AppSync, ensure that all state-changing operations are performed using POST requests with appropriate CSRF tokens. Additionally, implement strict CORS policies to restrict cross-origin requests, and consider using AWS WAF to apply custom security rules that block suspicious or malicious requests.
Graphqlgo Implement anti-CSRF tokens in your GraphQL API by generating a unique token for each session and requiring that token to be included as a header or in the payload of mutating requests. Validate the token on the server side before processing any changes.
Graphqlruby To mitigate GET based CSRF vulnerabilities in a GraphQL Ruby framework, ensure that mutations are only allowed via POST requests and that proper CSRF tokens are implemented and validated for each session. Additionally, consider using the same-site cookie attribute to prevent CSRF attacks. Always validate and sanitize input data to prevent unauthorized operations.
Hasura To mitigate GET based CSRF vulnerabilities in the Hasura framework, ensure that all state-changing operations are performed using POST requests with appropriate CSRF tokens. Additionally, implement and enforce a Content Security Policy (CSP) to restrict the sources from which scripts can be executed, and configure same-origin policy to prevent CSRF attacks. It's also recommended to use Hasura's webhook or JWT-based authentication to secure your GraphQL endpoints.
Agoo Ensure that state-changing operations in the Agoo framework are not performed using GET requests to prevent CSRF vulnerabilities.
Ariadne Implement CSRF tokens for state-changing requests and ensure that sensitive operations are not performed using GET requests in the Ariadne framework.
Caliban Ensure that all state-changing operations in the Caliban framework are performed using HTTP methods other than GET, such as POST, PUT, or DELETE, to prevent CSRF attacks.
Dgraph Implement CSRF protection by using anti-CSRF tokens for state-changing operations and ensure that sensitive actions are not performed via GET requests in the Dgraph framework.
Dianajl Implement CSRF tokens for state-changing requests and ensure that GET requests are idempotent and do not alter server state.
Directus Disable GET requests for state-changing operations in Directus and use CSRF tokens for POST, PUT, and DELETE requests to ensure requests are authenticated and authorized.
Flutter Implement CSRF protection by using tokens in your Flutter application. Ensure that all state-changing requests (e.g., POST, PUT, DELETE) include a CSRF token that is validated on the server side. This token should be unique per session and should not be included in GET requests to prevent CSRF attacks.
Graphene Implement CSRF protection by using anti-CSRF tokens in your Graphene framework API. Ensure that state-changing operations are performed using methods other than GET, such as POST, and validate the presence and correctness of CSRF tokens in these requests.
Graphqlapiforwp Implement CSRF protection by requiring a custom header for state-changing GraphQL operations, ensuring that requests are not automatically authenticated by the browser.
Graphqlgophergo Implement CSRF protection by requiring a custom header for state-changing GraphQL operations, ensuring that the browser does not automatically include credentials in requests.
Graphqljava Implement CSRF protection by using anti-CSRF tokens for state-changing operations in the GraphQL Java framework. Ensure that these tokens are validated on the server side to prevent unauthorized requests.
Graphqlphp Implement CSRF protection by using anti-CSRF tokens in your GraphQL requests. Ensure that each request includes a unique token that is validated on the server side to confirm the authenticity of the request.
Graphqlyoga Implement CSRF protection by using anti-CSRF tokens for state-changing operations in the GraphQL Yoga framework, ensuring that only requests with valid tokens are processed.
Hypergraphql Implement CSRF protection by ensuring that state-changing operations are not performed via GET requests and use anti-CSRF tokens for POST requests in the HyperGraphQL framework.
Jaal Implement CSRF tokens for state-changing requests and ensure that GET requests are idempotent and do not alter server state.
Juniper Implement CSRF tokens for state-changing requests and ensure that sensitive operations are not performed using GET requests in the Juniper framework.
Lacinia Implement CSRF tokens for state-changing requests in the Lacinia framework to prevent unauthorized actions.
Lighthouse Implement CSRF tokens for state-changing requests
Mercurius Implement CSRF protection by using anti-CSRF tokens for state-changing operations and ensure that sensitive actions are not performed via GET requests in the Mercurius framework.
Morpheusgraphql Implement CSRF tokens for state-changing operations and ensure that sensitive actions are not performed via GET requests in the MorpheusGraphQL framework.
Qglgen Implement CSRF protection by using anti-CSRF tokens in qglgen framework to ensure that state-changing requests are protected and cannot be forged by external sites.
Sangria Implement CSRF protection by using anti-CSRF tokens in your Sangria GraphQL API to ensure that requests are legitimate and originate from authenticated users.
Shopify Implement CSRF tokens for all state-changing requests in the Shopify framework to ensure that requests are validated and originate from authenticated users.
Stepzen Implement CSRF protection by using non-GET methods for state-changing operations and include anti-CSRF tokens in requests to ensure that requests are intentionally made by authenticated users.
Strawberry Implement CSRF tokens for state-changing requests and ensure that sensitive operations are not performed using GET requests in the Strawberry framework.
Tartiflette Implement CSRF protection by using anti-CSRF tokens for state-changing operations in the Tartiflette framework, ensuring that only intended requests are processed.
Wpgraphql Implement CSRF protection by using nonces for all state-changing operations in the WPGraphQL framework.

Configuration

Identifier: request_forgery/csrf_get_based

Examples

Ignore this check

checks:
  request_forgery/csrf_get_based:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API2:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.9
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: SC-7

Classification

  • CWE: 352

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 7.2

References