GraphQL Non-JSON Queries over POST: Potential CSRF Vulnerability

Description

Your web application's GraphQL implementation accepts non-JSON queries over POST requests, increasing the risk of Cross-Site Request Forgery (CSRF) attacks. The request was sent with Content-Type application/x-www-form-urlencoded and succeeded.

Remediation

Restrict GraphQL queries to JSON-based POST requests to limit the CSRF attack surface.

References

That single GraphQL issue that you keep missing

Related Vulnerabilities

Node.js Web Application does not handle unhandledRejection

Verb tampering via misconfigured security constraint

Java Management Extensions (JMX/RMI) service detected

WordPress Plugin Marketo Forms and Tracking Cross-Site Request Forgery (1.0.2)

PHP allow_url_include enabled

Severity

Medium

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N