Monday, September 19, 2016

CSRF Attack for JSON-encoded Endpoints

Sometimes you see a possible Cross-Site Request Forgery (CSRF) attack against JSON endpoints, where data is a JSON blob instead of x-www-form-urlencoded data.

Here is a PoC that will send a JSON CSRF.

    <form action="" method="post" 
        enctype="text/plain" name="jsoncsrf"> 

You can use any JSON including nested objects, lists, etc.

The previous example adds a trailing equal sign =, which will break some parsers. You can get around it with:

<input name='{"json":"data","extra' value='":"stuff"}' 

Which will give the following JSON:


1 comment :

  1. Your blog has given me that thing which I never expect to get from all over the websites. Nice post guys!