POST based CSRF

Description

The canonical content-type for GraphQL queries is JSON (application/json). Other content-types should be rejected as they facilitate CSRF attacks (e.g., via form submission).

Note that CSRF is an attack vector that specifically target requests where the browser automatically provides authentication (typically through Cookie or Basic Authentication).

Especially, if your application is attaching the credentials via an Authorization header then the browser can't automatically authenticate the requests, and CSRF isn't possible.

Remediation

Only allow requests with the Content-Type header set to application/json.

GraphQL Specific

Apollo

Only allow requests with the Content-Type header set to application/json.

With Express.js, the enforce-content-type middleware can be used to block unwanted content types.

 const enforceContentType = require('enforce-content-type')

 app.use(enforceContentType({
     type: 'application/json'
 }))

See: enforce-content-type GitHub Repo.

Configuration

Identifier: request_forgery/csrf_post_based

Examples

Ignore this check

{
    "checks": {
        "request_forgery/csrf_post_based": {
            "skip": true
        }
    }
}

Score

Escape Severity: MEDIUM
- OWASP: API2:2023
- PCI DSS: 6.5.9
- CWE
  - 345
  - 346
  - 352
  - 693
- WASC: WASC-09

CVSS

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R
CVSS_SCORE: 4.6

References

https://blog.doyensec.com/2021/05/20/graphql-csrf.html

POST based CSRF

Description​

Remediation​

GraphQL Specific​

Configuration​

Examples​

Ignore this check​

Score​

CVSS​

References​