id: graphql-get-method

info:
  name: GraphQL CSRF / GET method
  author: Dolev Farhi
  severity: info
  description: |
    Cross Site Request Forgery happens when an external website gains ability to make API calls impersonating an user if he visits the website while being authenticated to your API.
    Allowing API calls through GET requests can lead to CSRF attacks, because cookies are added automatically to GET requests by the browser.
  reference:
    - https://graphql.org/learn/serving-over-http/#get-request
    - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
    - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
    - https://graphql.security/
  tags: graphql

requests:
  - method: GET
    path:
      - "{{BaseURL}}/graphql?query={__typename}"
      - "{{BaseURL}}/api/graphql?query={__typename}"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"query"'
          - '"data"'
          - '"__typename"'
        case-insensitive: true
        condition: and

      - type: word
        part: header
        words:
          - "application/json"