Press "Enter" to skip to content

Exploiting CSRF on JSON Endpoint without Flash


Before we begin with JSON CSRF we need to nail down the Fundamentals of traditional CSRF and JSON based CSRF.

What is CSRF?

CSRF is Cross-Site Request Forgery vulnerability which can be used to force an user to conduct unintended actions on a Web Application. Using this flaw an attacker can perform various attacks based on the affected module such as changing Email ID, Password for the User’s Account.

CSRF on JSON Endpoint:

When performing CSRF on JSON Endpoint Server usually rejects the request due to extra padding from traditional CSRF Exploit with HTML forms. Usually server checks for Content-Type: application/json Header which becomes hard to exploit as we cannot change content-type in HTML. In order to perform JSON CSRF below conditions should be met:

  • User should be loggedin
  • Authentication Method should be cookie based only
  • No Authentication Token present in Header
  • Same-Origin Policy should not be enforced
  • Application accepts any content type: Easily Exploitable with HTML forms
  • Application only accepts application/json content type: Exploitable with Fetch API

When trying CSRF on such Endpoints with HTML we can often face padding issues due to HTML Forms which is why we are going to use Fetch API in Javascript.

CSRF Fails due to padding in HTML form for JSON request

We are going to use our JSON CSRF PoC Code from Github and replace URL and JSON Body.

JSON CSRF Exploit Code

You can find this exploit code on the github page.

Using above code we can edit the URL and replace the body with the JSON Data to perform CSRF.


After performing CSRF we are redirecting user to other page.

CSRF Exploited and User Redirected


This CSRF was exploitable due to lack of Anti-CSRF Token and Cookie Based Authentication, using Token Based Authentication could have fixed the issue as well.

Thank for reading do follow @rootsploit for more InfoSec Writeups!!!


Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *