CSRF via Content-Type Lab

Current Session

Your current name: CleverWolf

Session ID: 046e0b872c248162ab2d9065b9f76c09

How to Test

You can update your name by sending a POST request to this endpoint with either:

Content-Type: application/json
Content-Type: text/plain

Example request:

                POST /csrfContentType.php

                Content-Type: text/plain

                {"name": "NewName"}

Vulnerability

This endpoint accepts both application/json and text/plain content types. The text/plain content type can be sent via a top-level navigation, making it vulnerable to CSRF attacks even with SameSite cookies.