Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

GraphQL and CSRF protection

Tags:

security

csrf

graphql

csrf-protection

graphql-js

I read a lot around:

  1. https://github.com/pillarjs/understanding-csrf
  2. https://security.stackexchange.com/questions/10227/csrf-with-json-post
  3. Are JSON web services vulnerable to CSRF attacks?
  4. (Nothing on the ApolloServer site: https://www.apollographql.com/docs/apollo-server/)

However, I am not yet able to understand if our endpoint ("/graphql") is protected for this type of attack or if it is necessary to protect it with solutions like this: https://github.com/expressjs/csurf.

The thing that is not clear to me is that here: https://github.com/pillarjs/understanding-csrf they say:

When you're using CSRF tokens incorrectly: ... Adding them to JSON AJAX calls As noted above, if you do not support CORS and your APIs are strictly JSON, there is absolutely no point in adding CSRF tokens to your AJAX calls.

If we restrict our endpoint to just use Content-Type: application/json are we safe?

like image 791
Fred Hors Avatar asked Aug 28 '18 14:08

Fred Hors

People also ask

Is GraphQL safe?

But even though GraphQL can be a very secure option for your API, it does not come secure out of the box. It's actually the opposite: all doors are open even for the most novice hackers. Plus, GraphQL has its own set of considerations so if you come from REST you might have missed a few important steps!

Should I use CSRF protection?

When should you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

What is CSRF protection in flask?

CSRF, which stands for Cross-Site Request Forgery, is an attack against a web application in which the attacker attempts to trick an authenticated user into performing a malicious action.

What is CSRF protection?

A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.

1 Answers

If we restrict our endpoint to just use Content-Type: application/json are we safe?

JSON is not immune to CSRF attacks (but requires a little extra work for the attacker) and by extension, neither would GraphQL if not properly configured. If you break it down to the requests / responses, the usual scenario of CSRF would apply here:

  1. Victim authenticates with your GraphQL Web Service.
  2. Attacker sends malicious link to Victim.
  3. Victim clicks link and visits attacker's malicious website.
  4. Attacker's website sends JSON requests using victims cookie.
  5. Web Service receives JSON requests with valid session token / cookie and functionality is run by the victim without their knowledge.

In this scenario, your service is vulnerable to CSRF. Ensure that CORS is configured to only allow requests from a white list of trusted domains and ensure that a CSRF token is in use. Implementing multiple protections will reduce the risk of a successful attack.

The following link goes into greater detail and you can even try it yourself: https://blog.appsecco.com/exploiting-csrf-on-json-endpoints-with-flash-and-redirects-681d4ad6b31b

This answer is also relevant: Are JSON web services vulnerable to CSRF attacks?

like image 177
SeanD Avatar answered Oct 14 '22 10:10

SeanD
Sign in to Comment

Related questions

How can I disable the 'e' PREG_REPLACE_EVAL modifier in PHP?
Preventing Timing Attacks
Split a byte array at a delimiter
Preventing processes to execute certain system calls
You must configure the check path to be handled by the firewall using form_login in your security firewall configuration
Heap Inspection Security Vulnerability
Mask out sensitive information in python log
Password protected .NET ClickOnce deployment?
Will re-populating a password field in a form be a security issue?
Attempted exploit?
How to override the 'as_json' or 'to_json' method in order to 'respond_to' without including specified information?
Authorize attribute vs authorization node in web.config
Secure Transaction between Mobile app and LAMP
How to get a RSA PublicKey by giving a PrivateKey?
Against cold boot attacks: how to restrain sensitive information in Haskell
Tomcat 7 security - attempt to login?
Can anyone explain this php code injection attack to me?
Warning : HTML 1300 Navigation occured?
Can Tomcat 7 be configured to insert "Content-Security-Policy" HTTP header?
Steal CSRF token

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!