Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cross-Site Request Forgery (CSRF) attacks have been mitigated largely by browser protections like SameSite cookie flags and pre-flight requests. Some technically work because of browser behavior but shouldn't be considered security-safe because the functionality could change.

One mechanism for detecting CSRF is the rejection of requests with a Content-Type not equal to application/json. Since JSON triggers a pre-flight, it's common to use other content types, such as text/plain, to avoid this.

There are some notable bypasses for this though. For instance, 307 redirects with Adobe Flash player in Firefox and in Chrome the navigator.sendBeacon had a vulnerability to set the content type header to an arbitrary value.

The fetch API in JavaScript is used to make web requests. This function accepts both a string and a Blob object. By passing in a Blob object without a type into the fetch function, it will send a request without CORS or a content type header! The actual data in the blob will become the body of the request.

They give an example of a Ruby on Rails endpoint that first checks the existing content type and then checks for the application JSON. Since it doesn't exist, the check is effectively skipped. Although this is unlikely to work as a complete bypass, it's an interesting trick none-the-less.