Description

Your web application's GraphQL implementation accepts non-JSON queries over GET requests, increasing the risk of Cross-Site Request Forgery (CSRF) attacks. While JSON-based POST requests are generally considered resistant to CSRF, non-JSON GET requests are more susceptible to this type of attacks.

Remediation

Restrict GraphQL queries to JSON-based POST requests to limit the CSRF attack surface.

References

That single GraphQL issue that you keep missing

Related Vulnerabilities

Unsupported Hash Detected in Content Security Policy (CSP)

WordPress Plugin Product Catalog X Cross-Site Request Forgery (1.5.12)

Session cookies scoped to parent domain

WordPress Plugin SMTP Mailer Cross-Site Request Forgery (1.0.6)

WordPress Plugin WP-DownloadManager Cross-Site Request Forgery (1.60)

Severity

Medium

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Tags

Configuration CSRF