How to Perform CSRF Attack in GraphQL

Cross site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in. A successful CSRF attack can be devastating for both the business and user.

About CSRF

What is CSRF?

CSRF stands for Cross-Site Request Forgery, and it is a type of security vulnerability that occurs when an attacker tricks a user's browser into making an unintended request on a website where the user is authenticated. The attack takes advantage of the fact that the browser includes any relevant cookies for a particular domain with every request made to that domain.

Here's a basic explanation of how CSRF attacks work:

User Authentication: The victim user is authenticated to a legitimate website, and a session cookie is stored in their browser.
Malicious Request: The attacker creates a malicious website or injects malicious code into a legitimate website that the victim visits. This malicious code includes a request to the target website, exploiting the fact that the user is already authenticated.
Automatic Submission: When the victim visits the malicious website or encounters the injected code, the malicious request is automatically submitted in the background using the victim's authenticated session.
Unauthorized Action: The victim's browser, unaware of the malicious request, sends the authenticated request to the target website, causing the website to perform an action on behalf of the victim without their knowledge or consent.

Learn more
prevent CSRF attacks

Anti-CSRF Tokens: Include unique tokens in forms that are required for form submission. These tokens are generated per session and must be included in the request for it to be considered legitimate.

SameSite Cookie Attribute: Configure cookies to be same-site, which means they will only be sent in a first-party context and not in cross-site requests initiated by third-party websites.
Referer Header Checking: Verify the Referer header to ensure that requests come from the same domain.
Custom Headers: Use custom headers in requests that are checked by the server for legitimacy.

Table of contents:

What is a CSRF Attack?

The traditional CSRF Attack

Exploiting CSRF in GraphQL Endpoint

How CSRF occurs in GraphQL and Prevention

Conclusion

CSRF

What is a CSRF Attack?

Cross-Site Request Forgery (CSRF) is a type of attack where an attacker tricks a user’s web browser into performing unwanted actions on a web application in which the user is authenticated. The attacker crafts a malicious request and convinces the user to unknowingly execute it, leading to unauthorized actions being performed on their behalf.


Steps for traditional CSRF Attack

Here are the steps involved in a CSRF attack:

Attacker crafts a malicious webpage: The attacker creates a webpage that contains malicious code or a form to perform a specific action on the targeted web application.

User visits the malicious webpage: The user unknowingly visits the attacker’s webpage, which could be disguised as a legitimate or enticing website.

Malicious request is sent: The malicious webpage contains a request to perform an action on the targeted web application. This request could be in the form of a hidden form submission or an AJAX request.

User’s browser sends the request: Since the user is already authenticated on the targeted web application, their browser automatically includes the necessary credentials to execute the request.

Request is executed on the targeted web application: The targeted web application receives the malicious request and processes it, unaware that it was not initiated by the user directly.

Unwanted action is performed: The targeted web application performs the action specified in the malicious request, which could be anything from changing account settings to making a financial transaction.


Exploiting CSRF in GraphQL Endpoint

A CSRF (Cross-Site Request Forgery) attack is a type of attack where an attacker tricks a user’s authenticated web browser into performing unauthorized actions on a web application using GraphQL API.

The exploitation is pretty much similar to the non-API application but we need to understand few things.

When performing the attack, we need to change the content type from application/json to application/x-www-form-urlencoded in a GraphQL API is because GraphQL, by default, uses application/json to send queries and mutations. However, application/json requests are considered secure against CSRF forgery as long as the content type is properly validated by the server, thanks to the same-origin policy enforced by modern browsers.

To perform a CSRF attack, we need to bypass this same-origin policy and trick the user’s authenticated browser into making unauthorized requests. By using application/x-www-form-urlencoded as the content type, we can exploit vulnerabilities in the GraphQL endpoint that accept such requests. These vulnerable request types, like GET requests or requests with x-www-form-urlencoded content type, can be initiated by a browser without the user's explicit consent, making users vulnerable to CSRF attacks.

By changing the content type to application/x-www-form-urlencoded, we can craft a malicious request and send it to the target GraphQL API endpoint, taking advantage of the user's authenticated session. The GraphQL API processes the request and executes unauthorized actions on behalf of the user, potentially granting control over the user's account or performing unauthorized actions within the application.

When a server receives a request with the Content-Type header set to application/x-www-form-urlencoded, it knows that the body of the request contains data encoded in this format. The server then parses the body to extract the key-value pairs. The process typically involves the following steps:

Read the raw body: The server reads the raw body of the HTTP request.

Parse key-value pairs: The server parses the raw body to identify and separate the key-value pairs. Each pair is typically separated by an ampersand (&).

Decode URL encoding: For each key-value pair, the server decodes the URL-encoded values. This involves replacing %xx with the corresponding character and converting + back to space.

Store or process data: The server can then store the decoded key-value pairs in a data structure or use the data as needed for processing the request.

For GraphQL, since it is in JSON format, we need to change the mutation body into application/x-www-form-urlencoded content type.

For example, if the original mutation operation looks like this:

We need to change it to this form, separating each key and value pair.


The query parameter contains the URL-encoded GraphQL mutation operation.

The operationName parameter specifies the name of the operation, which is "changeEmail" in this case.

The variables parameter provides input variables in JSON format.

URL encodes the final result.



Here are the steps involved in a CSRF attack on a GraphQL API:

Identify the target GraphQL API endpoint.

Find a mutation operation like changing email.

Copy the mutation and modify it so that it is all in one line. For example, if the mutation is to change the email, the mutation query will look something like this:

Once you have the mutation query like this. Put it in the form field like this:



When you send a malicious URL to the victim and they click on it, the mutation will be automatically sent to change their email.


How CSRF occurs in GraphQL

1. CSRF Vulnerabilities in GraphQL Endpoints:

CSRF vulnerabilities can arise in GraphQL endpoints when these endpoints do not properly validate the content type of incoming requests, and they lack CSRF tokens.

2. Content Type Validation for Security:

POST requests that use a content type of application/json are mentioned as being secure against CSRF forgery, as long as the content type is properly validated by the server. This is because modern browsers enforce the same-origin policy for requests with the application/json content type.

3. Security of GET Requests and Other Content Types:

On the other hand, alternative methods such as GET requests, or any request that has a content type of x-www-form-urlencoded, are susceptible to CSRF attacks. These types of requests can be initiated by a browser without the user's explicit consent, potentially leaving users vulnerable if the GraphQL endpoint accepts such requests.

4. Exploiting Vulnerabilities:

In scenarios where a GraphQL endpoint accepts vulnerable request types, attackers may craft malicious exploits to send requests to the API on behalf of unsuspecting users. This is possible if the user is authenticated on the targeted web application.


Conclusion

In conclusion, a CSRF (Cross-Site Request Forgery) attack is a serious security threat that can target both traditional web applications and GraphQL APIs. While traditional CSRF attacks exploit vulnerabilities in the same-origin policy, a CSRF attack in GraphQL specifically targets GraphQL APIs that accept vulnerable request types like GET requests or requests with x-www-form-urlencoded content type.

GraphQL developers must implement proper CSRF protection measures, such as validating the content type of incoming requests and implementing CSRF tokens, to prevent CSRF attacks and ensure the security of their GraphQL applications.