CSRF - Can forged POSTs contain arbitrary data?

Question

Forged POST requests can be constructed by untrusted websites by creating a form and posting it to the target site. However, the raw contents of this POST will be encoded by the browser to be in the format:

param1=value1&param2=value2

Is it possible for untrusted websites to construct forged POSTs which contain arbitrary raw content -- such as stringified JSON?

{param1: value1, param2: value2}

Put another way: Can websites cause the browser to POST arbitrary content to third-party domains?

Answer 1

The POST body of an HTML form’s request is always either application/x-www-form-urlencoded, multipart/form-data, or text/plain as these reflect the valid values for the enctype attribute. Especially text/plain one can be used to form valid JSON data. So form-based CSRF can be used here, however, it requires the server to accept it as text/plain.

Additionally, XHR-based CSRF can be used as the XMLHttpRequest API allows so send arbitrary POST data. The only remaining obstacle with this is the Same-Origin Policy: Only if both have the same origin or your server supports Cross-Origin Request Sharing and allows resource sharing, such valid POST requests can be forged.

Answer 2

Yes!, a POST request is nothing more than text with a specific format sent to a web server. You can use IE or Chrome developer tools to look at what each requests looks like.

So yes, you can create a forged POST request and change whatever you want, however if the request is not well-formed most web servers will reject it.

https://www.rfc-editor.org/rfc/rfc2616