Skip to main content

Q: How can CSRF be exploited with JSON requests?

A: CSRF attacks can also target JSON APIs. If a user is authenticated, an attacker can craft a malicious page that sends a cross-origin request with a JSON payload. The victim's browser will automatically include the session cookies, and if the API does not have proper CSRF protection (e.g., a token or Referer header check), the request will be processed as if it were legitimate.

Defences:

  • Implementing CSRF tokens.
  • Using the Referer header to validate the request's origin.
  • Adding a security token in the JSON payload.
  • Using HttpOnly cookies to prevent script access.
  • Implementing request rate limiting.
  • Using network-level security controls.