It's probably uncommon, Portswigger stated: "POST requests that use a content type of application/json are secure against forgery as long as the content type is validated. However, alternative methods such as GET, or any request that has a content type of x-www-form-urlencoded" Worth a try! 🙏
what? most endpoints I came across were using content type json triggering a preflight request which killed any attempt of csrf
It's probably uncommon, Portswigger stated:
"POST requests that use a content type of application/json are secure against forgery as long as the content type is validated. However, alternative methods such as GET, or any request that has a content type of x-www-form-urlencoded"
Worth a try! 🙏
@@intigriti thx ... Looks like it's validated too.