GET based CSRF
CSRF (Cross-Site Request Forgery) occurs when an external website has the ability to make API calls impersonating a user by visiting the website while being authenticated to your API.
Allowing API calls through
Note that CSRF is an attack vector that specifically target requests where the browser automatically provides authentication (typically through
Especially, if your application is attaching the credentials via an
Authorization header then the browser can't automatically authenticate the requests, and CSRF isn't possible.
Forbid API calls through
GET requests to prevent CSRF attacks.
csrfPrevention: true to
Check out the the CSRF prevention documentation for the best CSRF prevention techniques.
Make sure that your API does not use Cookie-based authentication.
There are many other ways to authenticate a user with AppSync:
- API Keys
- Amazon Cognito User Pools
- OpenID Connect
- AWS Identity and Access Management (IAM)
- AWS Lamba custom authentication
AppSync: Authorization and Authentication
Whichever method you use, verify that authentication occurs through headers because authentication headers are not automatically added by the targeted user browser (while Cookies are).
To avoid any risk, you can block every
GET request and allow only
POST requests, which are immune to this attack, but it comes at a cost. (see AWS pricing for the corresponding services)
- Block GET requests with AWS API Gateway (prefered method):
Put your AppSync API behind an API Gateway.
You can then configure the API Gateway to act as an HTTP Proxy to your AppSync endpoint and configure it to allow only POST requests.
- Block GET requests with AWS Web Application Firewall:
Add the following Web ACL rule in the AWS WAF Console to block every GET request to the API:
You can also configure it manually by using the following field values :
- Field to match = HTTP method
- Positional constraint = Exactly matches string
- Search string = GET
See: AppSync API with AWS WAF.
To learn more on AWS WAF, see: AWS WAF.
Ignoring this check
- Escape Severity: HIGH
- OWASP: A02:2023
- PCI DSS: 6.5.9
- WASC: 9
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 7.2