May 30, 2019

Exploit POC for CSRF in JSON endpoints with Flash and redirects.

To exploit a CSRF issue on Json Endpoints the normal method of HTML forms wont work, as the Json Endpoint would expect a Content-Type header 'application/json'. Setting this header would require usage of XMLHttpRequests which would throw a OPTIONS pre-flight request to the vulnerable server. In short, it is not possible for a script on a particular domain to make a XMLHttpRequest call without the Pre-flight request.

There is a way we can do it using Flash and 307 redirects.
A very good writeup of this is available on Appseco Blog. I have created a online POC using the code they have published. Feel free to use this POC to test CSRF in such scenarioes without creating a setup on your machine. Here is the link to the POC - Exploit POC for CSRF in JSON endpoints with Flash and redirects.