CSRF via Content-Type Lab

Current Session

Your current name: CleverTiger

Session ID: 2a54cd3e67542d4100f6113cbd36c5a4

How to Test

You can update your name by sending a POST request to this endpoint with either:

Content-Type: application/json
Content-Type: text/plain

Example request:

                POST /csrfContentType.php

                Content-Type: text/plain

                {"name": "NewName"}

Vulnerability

This endpoint accepts both application/json and text/plain content types. The text/plain content type can be sent via a top-level navigation, making it vulnerable to CSRF attacks even with SameSite cookies.