Findings

POST based url-encoded query (possible CSRF)

Updated: June 19, 2025

findings action based findings api finding

Description

Severity: Medium

The GraphQL endpoint accepts non-JSON queries, such as URL-encoded data, via POST requests.

This can create a security vulnerability, as it may expose the endpoint to Cross-Site Request Forgery (CSRF) attacks. Allowing non-JSON payloads increases the risk of malicious actors crafting exploitative POST requests from unauthorized origins.

Remediation

Ensure that the GraphQL API only accepts JSON encoded queries in the request body.

Need help?

Contact FireTail support

Previous (Findings - Action based findings)
Phrasing vulnerability
Next (Findings - Action based findings)
Prompt encoding vulnerability