Does Quarkus supports CSRF attack protection on GraphQL?

[spirostz]

Hello,

I am not sure if Quarkus GraphQL has any build-in CSRF attack protection.

Usually, CSRF attack has to do with posting html forms e.g. for content types: application/x-www-form-urlencoded or multipart/form-data

But, there are scenarios that application/json can also be vulnerable, if for example you disable the CORS.

As I understood, here: https://quarkus.io/guides/security-csrf-prevention quarkus prevents the "form posting" scenarios. Additionally, in the same page we read:

@POST
    @Path("/users")
    @Consumes(MediaType.APPLICATION_JSON)
    @Produces(MediaType.TEXT_PLAIN)
    public String postJson(User user) {
        return user.name;
    }
...

--> [ POST json request to /user, CSRF token verification is not needed ] 

and my assumption here is that quarkus prevents also this and we don't need to do anything else.

Is my assumption correct or I miss something?

If yes, does the same CSRF security solution applied to GraphQL as well?

Thank you

similar question here: https://stackoverflow.com/questions/75735393/does-quarkus-supports-csrf-attack-protection-on-graphql

[quarkus-bot[bot]]

/cc @jmartisk (graphql), @phillip-kruger (graphql)

[sberyozkin]

Hi @spirostz I tried to answer in the stack overflow question yesterday

[spirostz]

Hi @sberyozkin,

I saw the answer, based on the phrase "I believe GraphQL is using WebSockets" is correct but incomplete, WebSockets its just a feature of GraphQL. Actually, doing simple mutations without any WebSockets https://quarkus.io/guides/smallrye-graphql#mutations is the most common scenario IMO and is just a common HTTP post similar to REST. So, based on that, GraphQL can be vulnerable to CSRF attacks.

On the other hand, I did some tests and CORS restriction actually prevents an attack like that since the only way to call GraphQL is Javascript AJAX.

Of course, I found out that there is a way to call graphQL endpoints using html form posts that is vulnerable to CSRF
e.g.

  <form method="post" action="https://example.com/graphql">
      <input type="hidden" name="query" value="mutation { createMessage(text: &quot;Hello, world!&quot;) { id text } }">
      <button type="submit">Create</button>
    </form>

The good news is that Quarkus fails when you do a graphQL call this way:

023-03-15 15:16:57,541 ERROR [io.qua.ver.htt.run.QuarkusErrorHandler] (vert.x-eventloop-thread-1) HTTP Request to /graphql failed, error id: 1bb859b2-e746-4143-a45a-bddef17f1bcd-1: javax.json.stream.JsonParsingException: Unexpected char 113 at (line no=1, column no=1, offset=0)

Other approaches, (unknown to me) might succeed.

So, actually the question here is:

Do I need to do something in order to be CSRF attack safe when using Quarkus GraphQL?
If yes is there a suggestion?

Thank you

[sberyozkin]

Hi @spirostz But here you submit JSON, right ? The way the CSRF feature works is that injects the CSRF token in the hidden HTML form value, so the browser manages such a token visibility. If this token is inside the custom JSON payload then it can't be really protected by the browser.
So, if you say the CORS feature can help, why there is a concern about CSRF ? Can you imagine the case where CORS protection is not enough ?
Also CC @phillip-kruger

[spirostz]

Hi @sberyozkin ,
Since there is no other way* (e.g. through an "http form post") to call the GraphQL resource, then yes, I am considering the GraphQL with CORS safe against CSRF attacks.
The only way to call GraphQL (mutation/queries) is through Javascript AJAX and all modern browsers are taking into consideration the CORS restrictions and will block any AJAX calls from unknown domains (e.g. CSRF attack).