Monday, November 28, 2011

CSRF with JSON – leveraging XHR and CORS

Same Origin Policy (SOP) dictates cross domain calls and allows establishment of cross domain connections. SOP bypasses allow CSRF attack vector, an attacker can inject a payload on cross domain page that initiate a request without consent or knowledge of the target user. HTML 5 is having one more policy in place called CORS (Cross Origin Resource Sharing). CORS is a “response blind” technique and controlled by extra added HTTP header “orgin” and their variants but it allows request to hit the target in one way direction. Hence, it is possible to do one-way CSRF. It is possible to initiate CSRF vector using XHR-Level 2 on HTML 5 pages and can prove really lethal attack vector. XHR establishes a stealth connection and remains much hidden, XHR connection can be set using “withCredentials” as true along with POST method. It allows cookie to replay and helps in crafting successful CSRF scenario or session riding. Interestingly HTML 5 along with CORS allows performing file upload CSRF as well. It is possible to craft a JavaScript using XHR and inject JSON payload as cross domain. If server side code on JSON library is not validating the “Content-Type” then it will process the request and allows successful CSRF.
For example,

Here is a script which will do CSRF on cross domain.

Here, we have “Content-Type” as “text-plain” and no new extra header added so CORS will not initiate OPTIONS to check rules on the server side and directly make POST request. At  the same time we have kept credential to “true” so cookie will replay.

On the wire we can see following request.

As you can see cookie is replayed and JSON POST has been initiated. We get following response back from application.

Application processed the request and sent JSON back. It is clear case of CSRF. This can be applied to other streams as well.


Gynvael Coldwind said...


Cool write-up, I've got worried that this opens a new SOP bypass hole at first read.
But I've done some digging and quite quickly realized that this isn't anything that wasn't already possible to do with standard form+.submit() XSRF exploitation method (with JSON in input's name in this case).
So I guess the good-old XSRF token still saves the day, even in this case.

Cheers :)

shreeraj said...

Yes. It is possible to do with form but you need to hide that "=" at the trailing end or somewhere in between the JSON. It may spoil JSON structure and may no get processed by server.

Gursev Kalra said...

Hi Shreeraj,

Does this look like a one more way to achieve successful CSRF with JSON?


Gynvael Coldwind said...

@Gursev Kalra
"one more way"? Nope, it actually looks like the exact thing I've written about in my previous comment, so that would make it "the old way" :)

Gursev Kalra said...


So your comment does not talk about how to send a well formed JSON. Sending parameter in the name does leave a trailing '=' sign as Shreeraj indicated.

Gynvael Coldwind said...

@Gursev Kalra
Agreed that it does not say, but it's pretty obvious how to fix the formatting :)
Hence, it's not a "one more way".

Gursev Kalra said...


No worries. You win :)

Gynvael Coldwind said...

@Gursev Kalra
That being said... it's cool that you've actually written it down :)

kp said...


I need help with writing code for CSRF for the appln using GWT framework.Its returning the content in JSON.So does the similar code given above by shreeraj works?or do v need any other new code.PLEASE help.

Gil Bar-Tur said...
This comment has been removed by the author.
Gil Bar-Tur said...

Tried it now and can seem to get it to work.
this is my code-

function callServer() {
var xmlhttp = new XMLHttpRequest();

xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
document.getElementById('retrievedData').innerHTML = xmlhttp.responseText;
}'GET', 'http://localhost:1077/DoSomething.ashx?p=' + Math.random(), true);
xmlhttp.setRequestHeader('Content-Type', 'text/plain').value);
xmlhttp.withCredentials = "true";

can you tell why my csrf attack doesnt work?

Satish Kumar said...

It works fine when we set Content-Type to "text/plain".
But I need set 'Content-Type' to 'application/json'
I just replaced 'text/plain' with 'application/json' and the HTTP method was set to 'OPTIONS' and content-type was not set.

Is there any way to content-type to 'application/json'.


prem said...

I think this doesn't work for DELETE method and more over when cookie created with httponly and secure flags set it will not attach those cookies to the request header.

Gopi Krishna said...

AngularJs Training in Chennai

mohd shibli said...

Great tutorial, can you tell how to convert MySQL data into JSON.

Harish said...

Thank you for sharing this useful information.

Angularjs course in Chennai | Angularjs Training institute in Chennai

SRI said...

Really very nice blog information for this one and more technical skills are improve,i like that kind of post.

rpa Training in tambaram

blueprism Training in tambaram

automation anywhere training in tambaram

iot Training in tambaram

rpa training in sholinganallur

blue prism training in sholinganallur

automation anywhere training in sholinganallur

iot training in sholinganallur

nivatha said...

Great content thanks for sharing this informative blog which provided me technical information keep posting.

Data Science Training in Chennai
Data science training in bangalore
Data science online training
Data science training in pune
Data science training in kalyan nagar
selenium training in chennai

simbu said...

Really great post, Thank you for sharing This knowledge.Excellently written article, if only all bloggers offered the same level of content as you, the internet would be a much better place. Please keep it up!
java training in marathahalli | java training in btm layout

java training in jayanagar | java training in electronic city

java training in chennai | java training in USA

selenium training in chennai

john jersy said...

Hello I am so delighted I found your blog, I really found you by mistake, while I was looking on Yahoo for something else, anyways I am here now and would just like to say thanks for a tremendous post. Please do keep up the great work.
python training in tambaram
python training in annanagar
python training in OMR
python training in chennai

Sheela said...

This is most informative and also this post most user friendly and super navigation to all posts... Thank you so much for giving this information to me.. 
DevOps online Training|DevOps Training in USA
Devops Training in Chennai
Devops Training in Bangalore

shines rose said...

Thanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great info. I really cannot thank you enough for sharing.
Blueprism training in annanagar

Blueprism training in velachery

Blueprism training in marathahalli

chitra pragya said...

I am definitely enjoying your website. You definitely have some great insight and great stories. 

Training in chennai

angularjs-Training in chennai

angularjs Training in chennai

angularjs-Training in tambaram

angularjs-Training in sholinganallur

angularjs-Training in velachery

sumathi s said...

I accept there are numerous more pleasurable open doors ahead for people that took a gander at your and safety course in chennai

Pankaj Singh said...

Nice Blog, Thank you so much sharing with us. Visit for
Website Development Company in Delhi

Unknown said...

PEP Treatment in delhi thanks for this information

Unknown said...

myTectra a global learning solutions company helps transform people and organization to gain real, lasting benefits.Join Today.Ready to Unlock your Learning Potential !Read More...

sachin.ogeninfo said...
This comment has been removed by the author.
Unknown said...

PEP Treatment in delhi nice

Unknown said...

myTectra a global learning solutions company helps transform people and organization to gain real, lasting benefits.Join Today.Ready to Unlock your Learning Potential !Read More...

Vikky cmd said...

I am really happy with your blog because your article is very unique and powerful for new reader.
Click here:
selenium training in chennai
selenium training in bangalore
selenium training in Pune
selenium training in pune
Selenium Online Training

Delhi Internet Marketing Agency In Delhi said...

We are happy now to see this post because of the you put good images, good choice of the words. You choose best topic and good information provide. Thanks a sharing nice article.

Website Development Company in Delhi

Amar G said...

Selenium is one of the most popular automated testing tool used to automate various types of applications. Selenium is a package of several testing tools designed in a way for to support and encourage automation testing of functional aspects of web-based applications and a wide range of browsers and platforms and for the same reason, it is referred to as a Suite.

Selenium Interview Questions and Answers
Javascript Interview Questions
Human Resource (HR) Interview Questions

mohit sona said...

appvn apk ios
tutuapp apk ios

Unknown said...

Nice post, keep adding more information to this, thanks for sharing!
DevOps Online Training

Xplore IT Corp said...

Hey Nice Blog!! Thanks For Sharing!!!Wonderful blog & good post.Its really helpful for me, waiting for a more new post. Keep Blogging!
Android training in coimbatore
Angular training in coimbatore

Safety Professionals said...

Howdy, would you mind letting me know which web host you’re utilizing? I’ve loaded your blog in 3 completely different web browsers, and I must say this blog loads a lot quicker than most. Can you suggest a good internet hosting provider at a reasonable price?
nebosh course in chennai

Aadhya Sharma said...

That is really very good article, You choose best topic and good information provide. Thanks for sharing.
web development company in noida

Aruna Ram said...

Great idea! Thank you for your wonderful post and very easily understand to me. Really good work please keeping...
Web Designing Training in Bangalore
Web Development Courses in Bangalore
Web Designing Course in Tnagar
Web Designing Training in Saidapet
Web Designing Course in Omr
Web Designing Training in Omr

ajay prakash said...

Such an excellent and interesting blog, Do post like this more with more information, This was very useful, Thank you.
Aviation Academy in Chennai
Aviation Courses in Chennai
best aviation academy in chennai
aviation institute in chennai

lekha mathan said...

Thank you so much for providing information on this. It was very useful.
air hostess training in Bangalore
air hostess academy Bangalore
air hostess academy
air hostess training institute

sathyaramesh said...

Thanks for splitting your comprehension with us. It’s really useful to me & I hope it helps the people who in need of this vital information.
Software Testing Training in Chennai | Software Testing Courses in Chennai
Software testing course in coimbatore | software testing training in coimbatore
software testing training in bangalore | software testing course in bangalore
software testing training in madurai | software testing course in madurai

Nadeem Malik said...

hello sir,
thanks for giving that type of information.
digital marketing company in delhi
HP DesignJet T520 In Delhi

Mobile app development company in Gurgaon said...

Visit here
Mobile app development company in toronto

keerthana said...

Very nice blog, Thank you for providing good information.
Airport management courses in chennai
diploma in airport management in chennai
diploma in airport management course in chennai
diploma in airline and airport management in chennai

jenifer irene said...

Very nice blog, Thank you for providing good information.
airport ground staff training courses in chennai
airport ground staff training in chennai
ground staff training in chennai

sachin.ogeninfo said...

website designing company in Gurgaon
ppc company in Gurgaon
seo company in Gurgaon

sachin.ogeninfo said...

plastic pouch manufacturers in delhi
wall putty bag manufacturers
gusseted bags manufacturers

sachin.ogeninfo said...

Haier Fridge Repair In Faridabad
Panasonic Fridge Repair In Faridabad

sachin.ogeninfo said...

refrigerator repair in gurgaon
lg fridge repair in gurgaon
washing machine repair in gurgaon

karori said...


ananthinfo said...

nice post..Sap B1 Companies in Chennai
Sap B1 Company in Chennai
Sap B1 Partners in Chennai
Retail Software Solution Chennai
Retail Software Companies in Chennai
ERP Solution Providers in Chennai

مروة محمد said...

ترخيص البلدية ترخيص الدفاع المدني

Vikash Kumar said...

nice work keep it up thanks for sharing the knowledge.Thanks for sharing this type of information, it is so useful.
Epoxy Grout manufacturer in delhi

Amase LED Lighting said...

Thanks for giving great kind of information. So useful and practical for me. Thanks for your excellent blog, nice work keep it up thanks for sharing the knowledge.
Home Decor Wall Lights in delhi

Durai Raj said...

The data which you have shared is very much useful to us... thanks for it!!!
big data courses in bangalore
hadoop training institutes in bangalore
Hadoop Training in Bangalore
Data Science Courses in Bangalore
CCNA Course in Madurai
Digital Marketing Training in Coimbatore
Digital Marketing Course in Coimbatore

Praylin S said...

Really wonderful post! I'm learning a lot from here. Do keep sharing.
LINUX Training in Chennai
Best LINUX Training in Chennai
Tally Course in Chennai
Tally Classes in Chennai
Embedded System Course Chennai
Embedded Training in Chennai
LINUX Training in OMR
LINUX Training in Anna Nagar

Unknown said...

Amazing Post Thanks for sharing

Data Science Training in Chennai

DevOps Training in Chennai

Hadoop Big Data Training

Python Training in Chennai

Ananya Krishnan said...

Good job in presenting the correct content with the clear explanation. The content looks real with valid information. Good Work

DevOps is currently a popular model currently organizations all over the world moving towards to it. Your post gave a clear idea about knowing the DevOps model and its importance.

Good to learn about DevOps at this time.

devops training in chennai | devops training in chennai with placement | devops training in chennai omr | devops training in velachery | devops training in chennai tambaram | devops institutes in chennai | devops certification in chennai | trending technologies list 2018

Robotic Process Automation Tutorial said...

Really useful information. Thank you so much for sharing.It will help everyone.Keep Post. RPA training in chennai | RPA Uipath training in chennai | RPA training in Chennai with placement

Unknown said...

Trialix Male Enhancement CBD additionally works as an analgesic—a pain reducer —in the physique. Worse, about 1 in 5 CBD merchandise contained the intoxicating pot chemical THC, Bonn-Miller and his colleagues found. Frankel, sixty six, who's brief and energetic with spectacular dark eyebrows, has paid a price for reducing this path, but he's paving the way for rigorous, skilled medical therapy utilizing hashish. Their newest product is a ninety nine% pure CBD oil crystalline isolate. Summary Using CBD has been proven to reduce anxiousness and melancholy in each human and animal research. Knowing the advantages supplied by CBD oil is just not enough, figuring out the right source to get the very best CBD primarily based products is important as nicely. As SSRI's also enhance serotonin production, SSRI customers ought to certainly not begin taking CBD oil at the same time as their SSRI. For years, marijuana has been used as a remedy for ache however just lately, scientific research has proved that there are specific components of the marijuana that carry out this pain relieving results. Hemp oil is mostly confused with basic CBD as this particular oil is derived from cannabis crops. Pet owners world wide are turning to Pet CBD Oil to assist ease their canine's anxiety and rambunctiousness.

jefrin adams said...

Interesting topic to read thanks
selenium training in chennai

Aman CSE said...

Such a wonderful blog on Machine learning . Your blog have almost full information about Machine learning .Your content covered full topics of Machine learning that it cover from basic to higher level content of Machine learning . Requesting you to please keep updating the data about Machine learning in upcoming time if there is some addition.
Thanks and Regards,
Machine learning tuition in chennai
Machine learning workshops in chennai
Machine learning training with certification in chennai

Roja Priya said...

Thank you for sharing your article. Great efforts put it to find the list of articles which is very useful to know, Definitely will share the same to other forums.

best openstack training in chennai | openstack course fees in chennai | openstack certification in chennai | openstack training in chennai velachery

Naveen said...

Thank you for excellent article.

Please refer below if you are looking for best project center in coimbatore

final year projects in coimbatore
Spoken English Training in coimbatore
final year projects for CSE in coimbatore
final year projects for IT in coimbatore
final year projects for ECE in coimbatore
final year projects for EEE in coimbatore
final year projects for Mechanical in coimbatore
final year projects for Instrumentation in coimbatore

Nadeem Malik said...

hello sir,
thanks for giving that type of information. Really enjoyed this blog post. Really looking forward to reading more. Much obliged.
digital marketing company in delhi

TeknikoGlobal said...

Nice and interesting post,I appreciate your hard work,keep uploading more, Thank you for sharing valuable information.
Mobile app Development Company in Delhi

InstaaCoders Technologies said...

Great Job, I really like your post.
web design company los angeles ca
Website Development Company Los Angeles
Mobile App Development Company in Delhi
Mobile App Development Services in Delhi
ecommerce website design los angeles
seo services los angeles
Mobile App Development Los Angeles

Aman CSE said...

Appericated the efforts you put in the content of Data Science .The Content provided by you for Data Science is up to date and its explained in very detailed for Data Science like even beginers can able to catch.Requesting you to please keep updating the content on regular basis so the peoples who follwing this content for Data Science can easily gets the updated data.
Thanks and regards,
Data Science training in Chennai
Data Science course in chennai with placement
Data Science certification in chennai
Data Science course in Omr

service care said...

Superb.. Really it is an amazing article I had ever read. I hope it will help a lot for all. Thank you so much for this amazing post.
apple service center chennai
apple service center in chennai
apple mobile service centre in chennai
apple service center near me

Splendid Interiors said...

Ah,so beautiful and wonderful post!An opportunity to read a fantastic and imaginary blogs.It gives me lots of pleasure and interest.Thanks for sharing.
Find the Interior Designers in Madhurawada