Content-Type Research
August 20, 2020 ยท View on GitHub
XSS
Content-Type that can be used for XSS and some related tricks
CSRF
All frameworks were analyzed with disabled default token-based CSRF protection
Examples of incorrect Content-Type parsing that can be used for CSRF.
For example, the ability to send an HTTP request that will be interpreted as JSON without a CORS preflight request.
Can be used in combination with attacks requiring boolean or array in HTTP request (PHP Type Juggling, NoSQL Injection, Prototype Pollution, ...)
Interesting results
- Difference of Content-Type processing in browsers
- Laravel JSON Content-Type parsing
- Laminas, Mezzio, Zend Framework JSON Content-Type parsing
- Wordpress JSON Content-Type parsing
WAF Bypass
Basic Idea
| HTTP Request | Application | WAF | Result |
|---|---|---|---|
| Content-Type: application/x-www-form-urlencoded q=' union select '1 | ' union select 1' | ' union select 1' | :heavy_minus_sign: Blocked |
| Content-Type: application/json {"q":"' \u0075nion \u0073elect '1"} | ' union select 1' | ' union select 1' | :heavy_minus_sign: Blocked |
| Content-Type: application/x-www-form-urlencoded;/json {"q":"' \u0075nion \u0073elect '1"} | ' union select 1' | {"q":"' \u0075nion \u0073elect '1"} | :heavy_check_mark: Bypass |
Interesting results
- PHP multipart boundary parsing
- Laravel JSON Content-Type parsing
- Symfony JSON/XML Content-Type parsing
- Laminas, Mezzio, Zend Framework JSON Content-Type parsing
- Flask JSON Content-Type parsing
- CherryPy multipart & JSON Content-Type parsing
- Express multer multipart Content-Type parsing
- Rails multipart & JSON Content-Type parsing
Programming languages / Frameworks
| Name | CSRF friendly | WAF Bypass friendly |
|---|---|---|
| PHP | :heavy_check_mark: | |
| Laravel | :heavy_check_mark: | :heavy_check_mark: |
| Symfony | :heavy_check_mark: | |
| Laminas, Mezzio, Zend | :heavy_check_mark: | :heavy_check_mark: |
| Yii | :question: | |
| Wordpress | :question: | :question: |
| CakePHP | :question: | :question: |
| CodeIgniter | :question: | :question: |
| Django | :question: | :heavy_check_mark: |
| Flask | :heavy_check_mark: | |
| CherryPy | :heavy_check_mark: | |
| Express body-parser | ||
| Express multer | :heavy_check_mark: | |
| Rails | :heavy_check_mark: |