1

I am testing an application that send XML data as body in POST request. The application is not using any CSRF token Is there any way to perform CSRF in this case. XHR does not works in latest browsers, as it blocks CORS requests. One link i came across but is not working. http://pentestmonkey.net/blog/csrf-xml-post-request Any way to achieve this?

PenGeek
  • 199
  • 1
  • 11
  • There are many questions on this site that discuss issues along these lines. This answer will probably help: https://security.stackexchange.com/a/166798/149676 – Conor Mancone Aug 10 '17 at 13:02
  • 1
    Do you require a particular Content-Type or just an XML-formatted body? – Arminius Aug 10 '17 at 13:06
  • Yes, it requires Content-type as text/xml only. If it was accepting any content-type, text/plain would have worked, – PenGeek Aug 10 '17 at 18:38
  • you can't use POST from a CSRF alone. Unless the server allows GET you need XSS to do it via ajax... – dandavis Aug 11 '17 at 03:22

0 Answers0