Last updated
Was this helpful?
In the previous section we saw how relying on the content-type is not a protection against CSRF. In this section we will look into another way we can perform a CSRF attack against a APIs which are not protected against CSRF.
In this assignment you need to achieve to POST the following JSON message to our endpoints:
More information can be found
Remember you need to make the call from another origin (WebWolf can help here) and you need to be logged in into WebGoat.
Solution
Open ZAP and intercept the request.
When we send the request, WebGoat replies that the solution is not correct. This is because the form submitted should be in JSON format.
We will need to create an HTML form that sends the data in JSON format.
To create a correct html form we need to create a valid JSON payload. For this we will use enctype="text/plain", which forces the browser to send the form data as plain text, without URL encoding. We will also need to format the form fields to create a JSON payload.
Save the HTML. Upload to WebWolf. Click Submit and you will get the flag value.
