Home page logo

fulldisclosure logo Full Disclosure mailing list archives

JSON-RPC Cross-Site Request Forgery little exploitation trick
From: DefenseCode <defensecode () defensecode com>
Date: Mon, 08 Oct 2012 00:21:29 +0200


During penetration-test contract, we came across CSRF in JSON-RPC based web application.
Brief google search revealed some people saying that CSRF in JSON is hard
to exploit, and that these vulnerabilities can be ignored.
In fact, it's not that hard to exploit...
Here is how we exploited it - little trick about CSRF attacks on JSON-RPC based web applications.
Maybe it'll be useful to someone.


DefenseCode Team
ThunderScan - Audit your Web Application Source Code For Vulnerabilities
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • JSON-RPC Cross-Site Request Forgery little exploitation trick DefenseCode (Oct 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]