Content-Type that can be used for XSS and some related tricks
All frameworks were analyzed with disabled default token-based CSRF protection
Examples of incorrect Content-Type parsing that can be used for CSRF.
For example, the ability to send an HTTP request that will be interpreted as JSON without a CORS preflight request.
Can be used in combination with attacks requiring boolean or array in HTTP request (PHP Type Juggling, NoSQL Injection, Prototype Pollution, ...)
Interesting results
- Difference of Content-Type processing in browsers
- Laravel JSON Content-Type parsing
- Laminas, Mezzio, Zend Framework JSON Content-Type parsing
- Wordpress JSON Content-Type parsing
| HTTP Request | Application | WAF | Result |
|---|---|---|---|
| Content-Type: application/x-www-form-urlencoded q=' union select '1 |
' union select 1' | ' union select 1' | ➖ Blocked |
| Content-Type: application/json {"q":"' \u0075nion \u0073elect '1"} |
' union select 1' | ' union select 1' | ➖ Blocked |
| Content-Type: application/x-www-form-urlencoded;/json {"q":"' \u0075nion \u0073elect '1"} |
' union select 1' | {"q":"' \u0075nion \u0073elect '1"} | ✔️ Bypass |
Interesting results
- PHP multipart boundary parsing
- Laravel JSON Content-Type parsing
- Symfony JSON/XML Content-Type parsing
- Laminas, Mezzio, Zend Framework JSON Content-Type parsing
- Flask JSON Content-Type parsing
- CherryPy multipart & JSON Content-Type parsing
- Express multer multipart Content-Type parsing
- Rails multipart & JSON Content-Type parsing
| Name | CSRF friendly | WAF Bypass friendly |
|---|---|---|
| PHP | ✔️ | |
| Laravel | ✔️ | ✔️ |
| Symfony | ✔️ | |
| Laminas, Mezzio, Zend | ✔️ | ✔️ |
| Yii | ❓ | |
| Wordpress | ❓ | ❓ |
| CakePHP | ❓ | ❓ |
| CodeIgniter | ❓ | ❓ |
| Django | ❓ | ✔️ |
| Flask | ✔️ | |
| CherryPy | ✔️ | |
| Express body-parser | ||
| Express multer | ✔️ | |
| Rails | ✔️ |