CSRF allows a malicious user to bypass the same origin policy and cause the victim of the attack to unknowingly perform the attackers desired action. CSRF was previously number seven in OWASP’s Top 10 vulnerabilities in 2017. It has since fallen off the list due to the inclusion of CSRF protections being built into many application frameworks. Despite this fact, CSRF is still commonly found during our pentesting engagements.

Creating a CSRF PoC requires the attacker to create a web form or link. The easiest web request to attack is a GET request. Slightly more difficult is a standard POST request with query parameters. A popular tool in use for web application penetration testing is Burp Suite, which provides a feature to quickly generate these CSRF proof of concepts by right clicking a request and selecting “Engagement tools” and “Generate CSRF PoC”.

One area where these tools struggle to create PoCs are for more complex POST requests such as a POST request that is sending JSON data with Content-type: application/json. This is because these tools typically generate a self-submitting form that requires the targeted request to have query parameters, which JSON does not.

In order to create a successful PoC for these types of request it is necessary that the application accepts submitted JSON data with one of the following content types: text/plain, application/x-www-form-urlencoded, or multipart/form-data. You can try this out by resubmitting a JSON POST request in Burp’s repeater and changing the content-types to see if the application returns an error or not. If the application accepts one of the mentioned content-types, then you can move on to generating a PoC.

To create a web form with a JSON payload you can utilize a hidden input field and place the json payload in the name attribute and make the following modifications. Replace the final } from the json payload with the following ,”padding”:”’value=’something”)’.

For example, if the vulnerable form you are targeting is

{“email”:”test@test.com”,”firstname”:”Test”,”lastname”:”Test”,”phone”:”1234567890″}

Then your created webform would look like the following

<html>
 <body>
  <script>history.pushState('', '', '/')</script>
   <form action='http://thisisatest.com' method='POST' enctype='text/plain'>
    <input type='hidden' name='{"email":"test@test.com","firstname":"Test","lastname":"Test","phone":"1234567890","padding":"'value='something"}' />
    <input type='submit' value='Submit request' />
   </form?
  </body>
</html>

This would generate a request that looks likes like the following allowing you to demonstrate a CSRF attack against a JSON POST request.

Join the Cadence Team

We take great pride in offering a large degree of flexibility to our employees by hiring independent professionals who can manage themselves.

View Open Positions