Mutation over GET

firetail:graphql-get-mutation-allowed

Type:

Observation

Rule Severity:

Medium

The GraphQL endpoint permits mutations to be executed using the HTTP GET method.

Typically, mutations should be executed using the POST method, as GET requests are intended for fetching data without side effects. Allowing mutations over GET can lead to several security risks

Remediation

Ensure that the GraphQL API does not allow GET method mutations.

Example Attack Scenario

An attacker sends a GET request with a mutation query embedded in the URL, such as deleting a user or updating account details. If the server allows mutations via GET, the attacker can execute this mutation without the need for additional authentication or protection, potentially leading to unauthorized data modification.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Average combined header size reduced
Facebook secrets found in logs
Missing 500 response
Plaintext digest authentication
Plaintext unknown authentication
Average combined payload size reduced