Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

GraphQL CSRF / GET method

By kannthu

Informative
Vidoc logoVidoc Module
#graphql
Description
Author: Dolev Farhi Cross Site Request Forgery happens when an external website gains ability to make API calls impersonating an user if he visits the website while being authenticated to your API. Allowing API calls through GET requests can lead to CSRF attacks, because cookies are added automatically to GET requests by the browser. Reference - https://graphql.org/learn/serving-over-http/#get-request - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html - https://graphql.security/

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/graphql?query={__ty.../api/graphql?query={...
Matching conditions
word: "query", "data", "__typename"and
word: application/json
Passive global matcher
No matching conditions.
On match action
Report vulnerability