At work we suspect a GWT app (that is not in production yet) we own to be vulnerable to CSRF. We have to look at it from a black-box point of view before a third-party security audit will be performed.
Due to the fact that all calls in the app are made through AJAX (with method POST), simply replicating an Ajax call in a malicious way is not achievable thanks to the Same-Origin policy. In fact we know that there is no csrf protection, but since only requests with json bodies are accepted by the server, it feels at first glance that the vulnerability cannot be exploited.
Is there a way to forge a similar request through a browser with a classic form ? My problem is that I cannot replicate the json body of the Ajax call through a form : the app reads the json body of the requests - submitting a classing form requires inputs with key/value pairs which would not be taken into account by the server.
In other words, is it possible, with an html form, to submit a request that just contains json in the body, instead of key-value pairs ? Or is there another attack angle for such cases ?
Thanks !
Aucun commentaire:
Enregistrer un commentaire