JSON CSRF

JSON CSRF is a variant of Cross-Site Request Forgery targeting endpoints that expect JSON payloads. While browsers restrict cross-origin requests with application/json content-type, various techniques can bypass these protections.

Why JSON CSRF is Harder

Browsers enforce the Same-Origin Policy and trigger CORS preflight for non-simple requests. JSON with proper content-type should trigger preflight, but misconfigurations and bypass techniques exist.

Bypass Techniques

Using text/plain (doesn't trigger preflight):

<form action="https://api.example.com/transfer"
      method="POST"
      enctype="text/plain">
  <input name='{"to":"attacker","amount":1000,"ignore":"' value='"}' />
</form>

// Sends: {"to":"attacker","amount":1000,"ignore":"="}
// If server ignores Content-Type, this works!

Flash-based bypass (legacy):

// Flash could set custom Content-Type headers
// Mitigated in modern browsers

Vulnerable Configurations

• Server accepts any Content-Type
• Permissive CORS (Access-Control-Allow-Origin: * with credentials)
• CORS whitelist bypass via null origin
• Missing CSRF token validation on API endpoints

Prevention

• Require and validate Content-Type: application/json
• Use CSRF tokens even for API endpoints
• Implement strict CORS policies
• Use SameSite cookies

PentesterLab Exercises

• CSRF Exercises

See Also

• Cross-Site Request Forgery (CSRF)
• Cross-Origin Resource Sharing (CORS)