Menu
I'm developing a web API. authentication is through cookies. All endpoints receive parameters through JSON in the request body.
Do I need to implement a CSRF token to protect them?
How can this be exploitable? Is it possible to send JSON through a normal <form> element?
Is it possible for an attacker to have something like this?
<form type="application/json" method="POST">
<input name="json" value="{ my json code here }">
<input type="submit">Send</input>
<form>
927
JSON CSRF PoC What is CSRF? CSRF on JSON Endpoint: Below are the required conditions in order to perform this attack: What is CSRF? CSRF is Cross-Site Request Forgery vulnerability which can be used to force an user to conduct unintended actions on a Web Application.
But It is possible to exploit the JSON CSRF even though 2nd and 3rd points are not satisfied. Whenever I test the web application, I carefully observe the authentication mechanism of the application. If that is cookie-based authentication then I directly look for the CSRF vulnerability. As I said above, the below request satisfied by the 1st point.
The CSRF attack to your API can be done for example by injected JavaScript to another website. In this case the injection can make correct AJAX request. Show activity on this post.
However, with the form data encoding text/plainit is still possible to forge requests containing valid JSON data. So the only threat comes from XHR-based CSRF attacks.
Firstly, you have to secure your API to avoid HTML/JavaScript injections that can cause CSRF attacks on OTHER sites. To do it:
use HTTPS for all communications to avoid MITM attacks
sanitize all income data to prevent HTML/JavaScript/SQL/LDAP/Command/... injections. You can also use web application firewall or WAF that prevents different types of attacks.
Use HTTP headers:
X-XSS-Protection "1; mode=block" - this header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
Content-Security-Policy - this header tells the browser that it can only communicate with the domains you explicitly allow.
In case your API provides any sensitive information than use CSRF token to avoid CSRF attacks on YOUR API. The CSRF attack to your API can be done for example by injected JavaScript to another website. In this case the injection can make correct AJAX request.
143
there's no attribute named type for HTML forms. The closest attribute is enctype, and you can find it's reference here. The only valid values for the attribute are:
-application/x-www-form-urlencoded, the default. All characters are encoded before sent (spaces are converted to "+" symbols, and special characters are converted to ASCII HEX values)
-multipart/form-data, No characters are encoded. This value is required when you are using forms that have a file upload control.
-text/plain Spaces are converted to "+" symbols, but no special characters are encoded.
Therefore a simple form can not submit a valid JSON payload.
40
CSRF Token is a must, maybe you can add some hash based on the value and match it later, and you might be want to consider using ajax to send the value rather than put it inside an input, since JSON often have double quotes lie value="{name:""}" and that will make the HTML become invalid.
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
