GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. GraphQL servers often allow other Content-Type
header values than application/json
, and GET based requests for both queries and mutations. By leveraging this, an attacker could achieve a Cross-Site Request Forgery (CSRF) attack and make an authenticated user perform arbitrary actions on the target GraphQL endpoint.
No source data