Skip to main content

POST based CSRF

Description

The canonical content-type for GraphQL queries is JSON (application/json). Other content-types should be rejected as they facilitate CSRF attacks (e.g., via form submission).

Note that CSRF is an attack vector that specifically target requests where the browser automatically provides authentication (typically through Cookie or Basic Authentication).

Especially, if your application is attaching the credentials via an Authorization header then the browser can't automatically authenticate the requests, and CSRF isn't possible.

Remediation

Only allow requests with the Content-Type header set to application/json.

GraphQL Specific

Apollo

To mitigate POST-based CSRF attacks in the Apollo framework, implement anti-CSRF tokens in your application. Generate a unique token for each user session and include it as a hidden field in your forms. Verify the token on the server side before processing any POST requests. Additionally, consider using the 'sameSite' attribute for cookies to restrict cross-origin requests.

Yoga

To mitigate POST-based CSRF attacks in the Yoga framework engine, implement anti-CSRF tokens in your forms. Generate a unique token for each user session and include it as a hidden field in your POST forms. Verify the token on the server side before processing any POST request. Additionally, ensure that the 'SameSite' attribute for cookies is set to 'Lax' or 'Strict' to prevent cross-site request forgery. It's also recommended to use the Yoga framework's built-in security features or middleware that provide CSRF protection.

Awsappsync

To mitigate POST-based CSRF vulnerabilities in AWS AppSync, ensure that all sensitive mutations require authentication and are protected with tokens such as CSRF tokens or API keys. Implement a robust authentication mechanism, such as AWS Cognito, and use it to validate user sessions for each request. Additionally, consider using AWS WAF to create custom rules that validate the presence of custom headers or tokens that are unique to your application and difficult to forge. Regularly review and update your security policies to keep up with the latest threats.

Graphqlgo

To mitigate POST-based CSRF attacks in a GraphQL Go framework engine, implement anti-CSRF tokens by generating a unique token for each user session and requiring that token to be included as a header or in the payload of every state-changing POST request. Validate the token on the server side before processing the request. Additionally, ensure that CORS policies are correctly set to restrict cross-origin requests from untrusted domains.

Graphqlruby

To mitigate POST-based CSRF attacks in a GraphQL Ruby framework, ensure that you implement CSRF tokens within your application. Use the built-in Rails CSRF protection by including protect_from_forgery with: :exception in your controllers. Additionally, verify that every state-changing request includes a valid CSRF token. For GraphQL, you can pass the CSRF token within the HTTP headers or the body of the POST request and validate it on the server-side. Also, consider using same-site cookie attributes and CORS policies to restrict cross-origin requests.

Hasura

To mitigate POST-based CSRF attacks in the Hasura framework, ensure that all state-changing operations require a valid CSRF token. Implement a strong CSRF protection mechanism by utilizing Hasura's webhook or JWT-based authentication methods, which inherently provide CSRF protection by requiring a valid authentication token for each request. Additionally, consider using the 'SameSite' attribute for cookies to restrict their sending to same-site requests only. Regularly review and update your security configurations to keep up with best practices.

Configuration

Identifier: request_forgery/csrf_post_based

Examples

Ignore this check

checks:
request_forgery/csrf_post_based:
skip: true

Score

  • Escape Severity: MEDIUM

Compliance

  • OWASP: API2:2023

  • pci: 6.5.9

  • gdpr: Article-32

  • soc2: CC1

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-6

Classification

  • CWE: 352

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R
  • CVSS_SCORE: 4.6

References