GraphQL and CSRF protection

Fred Hors picture Fred Hors · Aug 28, 2018 · Viewed 7.5k times · Source

I read a lot around:

  1. https://github.com/pillarjs/understanding-csrf
  2. https://security.stackexchange.com/questions/10227/csrf-with-json-post
  3. Are JSON web services vulnerable to CSRF attacks?
  4. (Nothing on the ApolloServer site: https://www.apollographql.com/docs/apollo-server/)

However, I am not yet able to understand if our endpoint ("/graphql") is protected for this type of attack or if it is necessary to protect it with solutions like this: https://github.com/expressjs/csurf.

The thing that is not clear to me is that here: https://github.com/pillarjs/understanding-csrf they say:

When you're using CSRF tokens incorrectly: ... Adding them to JSON AJAX calls As noted above, if you do not support CORS and your APIs are strictly JSON, there is absolutely no point in adding CSRF tokens to your AJAX calls.

If we restrict our endpoint to just use Content-Type: application/json are we safe?

Answer

SeanD picture SeanD · Oct 1, 2018

If we restrict our endpoint to just use Content-Type: application/json are we safe?

JSON is not immune to CSRF attacks (but requires a little extra work for the attacker) and by extension, neither would GraphQL if not properly configured. If you break it down to the requests / responses, the usual scenario of CSRF would apply here:

  1. Victim authenticates with your GraphQL Web Service.
  2. Attacker sends malicious link to Victim.
  3. Victim clicks link and visits attacker's malicious website.
  4. Attacker's website sends JSON requests using victims cookie.
  5. Web Service receives JSON requests with valid session token / cookie and functionality is run by the victim without their knowledge.

In this scenario, your service is vulnerable to CSRF. Ensure that CORS is configured to only allow requests from a white list of trusted domains and ensure that a CSRF token is in use. Implementing multiple protections will reduce the risk of a successful attack.

The following link goes into greater detail and you can even try it yourself: https://blog.appsecco.com/exploiting-csrf-on-json-endpoints-with-flash-and-redirects-681d4ad6b31b

This answer is also relevant: Are JSON web services vulnerable to CSRF attacks?