The GraphQL endpoint accepts non-JSON queries, such as URL-encoded data, via POST requests.
This can create a security vulnerability, as it may expose the endpoint to Cross-Site Request Forgery (CSRF) attacks. Allowing non-JSON payloads increases the risk of malicious actors crafting exploitative POST requests from unauthorized origins.
Remediation
Ensure that the GraphQL API only accepts JSON encoded queries in the request body.
Example Attack Scenario
How to Identify with Example Scenario
How to Resolve with Example Scenario
How to Identify with Example Scenario
Find the text in bold to identify issues such as these in API specifications
How to Resolve with Example Scenario
Modify the text in bold to resolve issues such as these in API specifications
