Request Forgery: CSRF Get Based¶

Identifier: csrf_get_based

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

GET-based CSRF vulnerabilities occur when APIs accept state-changing actions via GET requests, allowing attackers to trick authenticated users' browsers into making unintended requests.

How we test: We identify GET endpoints that perform state-changing operations and test if they can be exploited via cross-site requests. We check if CSRF protection mechanisms such as tokens or same-site cookies are properly implemented to prevent unauthorized actions.

References:

https://blog.doyensec.com/2021/05/20/graphql-csrf.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  csrf_get_based:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.