Q: How can CSRF be exploited with JSON requests?
A: CSRF attacks can also target JSON APIs. If a user is authenticated, an attacker can craft a malicious page that sends a cross-origin request with a JSON payload. The victim's browser will automatically include the session cookies, and if the API does not have proper CSRF protection (e.g., a token or Referer header check), the request will be processed as if it were legitimate.
Defences:
- Implementing CSRF tokens.
- Using the
Refererheader to validate the request's origin. - Adding a security token in the JSON payload.
- Using
HttpOnlycookies to prevent script access. - Implementing request rate limiting.
- Using network-level security controls.