webPromedium

DevPulse — CSRF via JSON Content-Type Bypass

hackadvisor

Task: Express.js developer analytics platform with JSON API settings endpoint, admin bot visits reported URLs, admin profile is private. Solution: CSRF via Content-Type bypass — the JSON API also accepts application/x-www-form-urlencoded, enabling a cross-origin form POST that bypasses SameSite=Lax as a top-level navigation to change admin's profile visibility to public.

$ ls tags/ techniques/

express csrf admin_bot session_cookie json_api content_type_bypass samesite_lax

csrf_content_type_bypasssamesite_lax_top_level_navigationform_urlencoded_to_json_apiadmin_bot_csrf

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]CloudPulse — OAuth CSRF Account Takeover via Missing State Parameter— hackadvisor
[web][Pro]DesignPulse — Reflected XSS via SVG Badge Injection— hackadvisor
[web][Pro]Lab 186 — DataPulse — CORS Origin Validation Bypass— hackadvisor
[web][Pro]Lab 56 — DataPulse — XXE to SSRF via SVG Avatar Upload— hackadvisor
[web][Pro]Lab 63 — DataPulse — Insecure Deserialization via Preferences Cookie— hackadvisor