From 5dbd8b749cadea770a3466bbb281494e17e5a7e7 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Mon, 10 Aug 2020 09:56:57 +0000
Subject: [PATCH] GitBook: [master] one page modified

---
 pentesting-web/csrf-cross-site-request-forgery.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pentesting-web/csrf-cross-site-request-forgery.md b/pentesting-web/csrf-cross-site-request-forgery.md
index 7f587a407..bfe54edda 100644
--- a/pentesting-web/csrf-cross-site-request-forgery.md
+++ b/pentesting-web/csrf-cross-site-request-forgery.md
@@ -71,6 +71,10 @@ If the web site contains any **behaviour** that **allows an attacker to set a co
 In a further variation on the preceding vulnerability, some applications do not maintain any server-side record of tokens that have been issued, but instead **duplicate each token within a cookie and a request parameter**. When the subsequent request is validated, the application simply verifies that the **token** submitted in the **request parameter matches** the value submitted in the **cookie**.  
 In this situation, the attacker can again perform a CSRF **attack if the web site contains any cookie setting functionality**.
 
+### Content-Type change
+
+You can change to POST Content-Type to _**application/json, application/x-url-encoded**_ or _**form-multipart**_ and maybe you will be able to bypass the CSRF token.
+
 ### Referrer / Origin check bypass
 
 #### Avoid Referrer header