Cross-Site POST Requests Without a Content-Type Header / nastystereo.com

submited by
Style Pass
2024-11-27 09:30:03

There are many different ways that web applications implement protection against Cross-Site Request Forgery (CSRF) attacks. The protections that are more implicit than explicit are generally riskier, especially when they rely on browsers never adjusting what is permitted.

One interesting attempt at CSRF protection is the rejection of requests with a Content-Type header not equal to application/json. The effectiveness of this comes from browsers only allowing application/x-www-form-urlencoded, multipart/form-data and text/plain (and possibly a few other exceptions) to be sent cross-site. It is possible to send arbitrary values, but only after the receiving website has granted permission via Cross-Origin Resource Sharing (CORS).

In 2011 this protection was bypassed by kuza55 using 307 redirects with Adobe Flash Player, resulting in CVE-2011-0059 in Firefox and CVE-2011-0447 in Ruby on Rails. Then in 2015, navigator.sendBeacon in Chrome was found to allow cross-site POST requests with an arbitrary Content-Type header, tracked as bug #490015.

As these old tricks are no longer useful, I would like to share an interesting caveat where the protection can be bypassed if implemented as in the example application below.

Leave a Comment
Related Posts