Performing CSRF exploits over GraphQL