Site icon API Security Blog

GraphQL Cross-Site Request Forgery

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. GraphQL servers often allow other `Content-Type` header values than `application/json`, and GET based requests for both queries and mutations. By leveraging this, an attacker could achieve a Cross-Site Request Forgery (CSRF) attack and make an authenticated user perform arbitrary actions on the target GraphQL endpoint.Read More

Exit mobile version