mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings
synced 2026-05-08 12:43:34 +02:00
Merge 95af3e9bfe into 497fbe925b
This commit is contained in:
Houssam Miliani
GitHub
commit
a30bb485c9
1 changed files with 14 additions and 0 deletions
|
|
@ -14,6 +14,8 @@
|
|||
* [JSON GET - Simple Request](#json-get---simple-request)
|
||||
* [JSON POST - Simple Request](#json-post---simple-request)
|
||||
* [JSON POST - Complex Request](#json-post---complex-request)
|
||||
|
||||
* [CSRF Middleware Bypass](#CSRF-Middleware-Bypass)
|
||||
* [Labs](#labs)
|
||||
* [References](#references)
|
||||
|
||||
|
|
@ -133,6 +135,18 @@ xhr.send('{"role":admin}');
|
|||
</script>
|
||||
```
|
||||
|
||||
## CSRF Middleware Bypass
|
||||
- In CSRF, some frameworks automatically block CSRF via middleware by validating tokens on unsafe HTTP methods and return 403, Example:
|
||||
|
||||
| Technology | Prevent it | You accept |
|
||||
|:----------------|:----------------------------|:--------------------|
|
||||
| Go Fiber | POST, PUT, DELETE | PATCH |
|
||||
| Django | POST, PUT, PATCH, DELETE | GET, HEAD, OPTIONS |
|
||||
| Laravel | POST, PUT, PATCH, DELETE | GET, HEAD |
|
||||
| Express.js (csurf) | POST, PUT, PATCH, DELETE | GET, HEAD, OPTIONS |
|
||||
| Spring Boot | POST, PUT, PATCH, DELETE | GET, HEAD, OPTIONS |
|
||||
| Ruby on Rails | POST, PUT, PATCH, DELETE | GET, HEAD, OPTIONS |
|
||||
|
||||
## Labs
|
||||
|
||||
* [PortSwigger - CSRF vulnerability with no defenses](https://portswigger.net/web-security/csrf/lab-no-defenses)
|
||||
|
|
|
|||
Loading…
Reference in a new issue