Exploiting CSRF in JSON requests
JSON is a popular format to exchange data over the Internet in client-server architectures. These days there's a growing trend in which developers are utilizing JSON for browser to server communication.
A JSON-based POST data looks like the following:
In terms of our CSRF exploitation scenario, the problem arises with the fact that there are no query parameters with the JSON format, which are a must with self-submitting forms. To bypass this, we can use a self-submitting form, with a hidden input with only a name attribute but no value. In other words, the name will contain the JSON payload to exploit the CSRF. We'll have to change the encoding type to text/plain for sanity. The exploit code will look like the following:
<html>
<head>
</head>
<body onload=document.getElementById('xsrf').submit()>
<form id="xsrf" action=" https://bank.example.com/transfer/money" method=post enctype="text/plain" >
<input name='...
