Findings

Get Method Query Support

Updated: June 19, 2025

findings action based findings api finding

Description

Severity: Medium

The GraphQL endpoint allows queries to be executed using the HTTP GET method.

While GET requests are typically used for retrieving data without side effects, allowing queries via GET in GraphQL APIs can introduce security risks, such as sensitive data being cached or logged by intermediaries like browsers, proxies, or CDNs. This behavior may inadvertently expose sensitive query content or compromise API security.

Example Attack

An attacker sends a GET request with a mutation query embedded in the URL, such as deleting a user or updating account details. If the server allows mutations via GET, the attacker can execute this mutation without the need for additional authentication or protection, potentially leading to unauthorized data modification.

Remediation

Ensure that the GraphQL API does not allow GET method queries.

Need help?

Contact FireTail support

Previous (Findings - Action based findings)
Field Suggestions
Next (Findings - Action based findings)
Glitch token vulnerability