Burp Suite User Forum

Login to post

Problem generating a CSRF PoC

Zonduhackerone | Last updated: Oct 15, 2019 09:15PM UTC

I understand how basic CSRF works and i have reported some csrf issue to some bug bounty programs in the past, but i have encountered this issue that i don't know what to do. I get this little message when trying to generate a CSRF PoC on a POST request without csrf token or headers: > Warning: The CSRF form uses a different encoding type than the original request, and so the application may not process the request in the way required. Further, the CSRF form uses plain text encoding, and the request body cannot be exactly reproduced because it does not contain the = character. Try modifying the original request so that the body contains the = character. Where exactly i should add the = character if the original requests looks liek this, example: {"phoneNumber":"+ 48-695-5581-39","zipCode":"12-312"} i have tried all forms of the CSRF poc generator and all of them didn't work. Hope you can help me, thanks.

Mike, PortSwigger Agent | Last updated: Oct 16, 2019 10:30AM UTC

Looking at the source code, it appears this error message is raised when the encoding type specified by the Content-Type header is unable to be determined, or if it is different to the Encoding Type specified in the user interface panel. Is what you have selected in the user interface different from what is specified in the Content-Type header of the request?

B3twise | Last updated: Jul 15, 2020 07:08PM UTC

the content-type is application/json

B3twise | Last updated: Jul 15, 2020 07:12PM UTC

Is it possible to do csrf when content-type is application/json

Uthman, PortSwigger Agent | Last updated: Jul 16, 2020 08:52AM UTC

Have you added the Content-Type header into the original request? Or did it already exist? I can only replicate your issue when specifically adding the Content-Type: application/json header to a request where it was not originally present.

You need to Log in to post a reply. Or register here, for free.