GET based CSRF
Description
CSRF (Cross-Site Request Forgery) occurs when an external website has the ability to make API calls impersonating a user by visiting the website while being authenticated to your API.
Allowing API calls through GET requests can lead to CSRF attacks because cookies are added automatically to GET requests made by the browser.
Note that CSRF is an attack vector that specifically target requests where the browser automatically provides authentication (typically through Cookie or Basic Authentication).
Especially, if your application is attaching the credentials via an Authorization header then the browser can't automatically authenticate the requests, and CSRF isn't possible.
Remediation
Forbid API calls through GET requests to prevent CSRF attacks.
GraphQL Specific
Apollo
To mitigate GET based CSRF vulnerabilities in the Apollo framework engine, ensure that state-changing actions are only performed via POST requests and not GET requests. Implement anti-CSRF tokens in forms and verify them on the server side for each POST request. Additionally, consider using the 'SameSite' attribute for cookies to restrict their sending to only first-party contexts. It's also advisable to check the 'Referer' header to validate that requests are coming from your own domain. For sensitive actions, re-authentication of the user may be appropriate.
Yoga
To mitigate GET based CSRF (Cross-Site Request Forgery) in the Yoga framework engine, ensure that state-changing actions are only performed via POST requests and not GET requests. Implement anti-CSRF tokens in forms and verify them on the server side for each POST request. Additionally, consider using the SameSite cookie attribute to control cross-origin requests and ensure that sensitive actions require re-authentication or additional user confirmation.
Awsappsync
To mitigate GET based CSRF vulnerabilities in AWS AppSync, ensure that all state-changing operations are performed using POST requests with appropriate CSRF tokens. Additionally, implement strict CORS policies to restrict cross-origin requests, and consider using AWS WAF to apply custom security rules that block suspicious or malicious requests.
Graphqlgo
Implement anti-CSRF tokens in your GraphQL API by generating a unique token for each session and requiring that token to be included as a header or in the payload of mutating requests. Validate the token on the server side before processing any changes.
Graphqlruby
To mitigate GET based CSRF vulnerabilities in a GraphQL Ruby framework, ensure that mutations are only allowed via POST requests and that proper CSRF tokens are implemented and validated for each session. Additionally, consider using the same-site cookie attribute to prevent CSRF attacks. Always validate and sanitize input data to prevent unauthorized operations.
Hasura
To mitigate GET based CSRF vulnerabilities in the Hasura framework, ensure that all state-changing operations are performed using POST requests with appropriate CSRF tokens. Additionally, implement and enforce a Content Security Policy (CSP) to restrict the sources from which scripts can be executed, and configure same-origin policy to prevent CSRF attacks. It's also recommended to use Hasura's webhook or JWT-based authentication to secure your GraphQL endpoints.
Configuration
Identifier:
request_forgery/csrf_get_based
Examples
Ignore this check
checks:
request_forgery/csrf_get_based:
skip: true
Score
- Escape Severity: MEDIUM
Compliance
OWASP: API2:2023
pci: 6.5.9
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: SC-7
Classification
- CWE: 352
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 7.2