Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3026] No subject

Browse source
This commit is contained in:
CPol 2022-02-21 15:48:28 +00:00 committed by gitbook-bot
parent bdd6a5edac
commit c7c8039587
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pentesting-web/csrf-cross-site-request-forgery.md
View file

@ -106,6 +106,8 @@ As you already know, you cannot sent a POST request with the Content-Type **`app
However, you could try to send the JSON data using the content types **`text/plain` and `application/x-www-form-urlencoded` ** just to check if the backend is using the data independently of the Content-Type.\
You can send a form using `Content-Type: text/plain` setting **`enctype="text/plain"`**
If the server is only accepting the content type "application/json", you can **send the content type "text/plain; application/json"** without triggering a preflight request.
You could also try to **bypass** this restriction by using a **SWF flash file**. More more information [**read this post**](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937).
### Referrer / Origin check bypass