https://github.com/BlackFan/content-type-research
Content-Type Research
https://github.com/BlackFan/content-type-research
Last synced: 4 months ago
JSON representation
Content-Type Research
- Host: GitHub
- URL: https://github.com/BlackFan/content-type-research
- Owner: BlackFan
- Created: 2020-08-18T05:14:31.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2024-02-08T08:15:34.000Z (over 1 year ago)
- Last Synced: 2024-03-14T15:56:27.092Z (over 1 year ago)
- Homepage:
- Size: 39.1 KB
- Stars: 431
- Watchers: 20
- Forks: 49
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - BlackFan/content-type-research - Content-Type Research (Others)
README
# Content-Type Research
## XSS
[Content-Type that can be used for XSS and some related tricks](XSS.md)
## CSRF
> **All frameworks were analyzed with disabled default token-based CSRF protection**
Examples of incorrect Content-Type parsing that can be used for CSRF.
For example, the ability to send an HTTP request that will be interpreted as JSON without a CORS preflight request.
Can be used in combination with attacks requiring boolean or array in HTTP request (PHP Type Juggling, NoSQL Injection, Prototype Pollution, ...)
**Interesting results**
* [Difference of Content-Type processing in browsers](Browsers.md)
* [Laravel JSON Content-Type parsing](ct-tricks/Laravel.md)
* [Laminas, Mezzio, Zend Framework JSON Content-Type parsing](ct-tricks/Mezzio.md)
* [Wordpress JSON Content-Type parsing](ct-tricks/Wordpress.md)
## WAF Bypass
### Basic Idea
| HTTP Request | Application | WAF | Result |
|---------------------------------------------------------------------------------------------------|---------------------|---------------------------------------|----------------------------|
| Content-Type: application/x-www-form-urlencoded
q=' union select '1 | ' union select 1' | ' union select 1' | :heavy_minus_sign: Blocked |
| Content-Type: application/json
{"q":"' \u0075nion \u0073elect '1"} | ' union select 1' | ' union select 1' | :heavy_minus_sign: Blocked |
| Content-Type: application/x-www-form-urlencoded;/json
{"q":"' \u0075nion \u0073elect '1"} | ' union select 1' | {"q":"' \u0075nion \u0073elect '1"} | :heavy_check_mark: Bypass |
**Interesting results**
* [PHP multipart boundary parsing](ct-tricks/PHP.md)
* [Laravel JSON Content-Type parsing](ct-tricks/Laravel.md)
* [Symfony JSON/XML Content-Type parsing](ct-tricks/Symfony.md)
* [Laminas, Mezzio, Zend Framework JSON Content-Type parsing](ct-tricks/Mezzio.md)
* [Flask JSON Content-Type parsing](ct-tricks/Flask.md)
* [CherryPy multipart & JSON Content-Type parsing](ct-tricks/CherryPy.md)
* [Express multer multipart Content-Type parsing](ct-tricks/Express_multer.md)
* [Rails multipart & JSON Content-Type parsing](ct-tricks/Rails.md)
## Programming languages / Frameworks
| Name | CSRF friendly | WAF Bypass friendly |
|------|---------------|---------------------|
| [PHP](ct-tricks/PHP.md) | | :heavy_check_mark: |
| [Laravel](ct-tricks/Laravel.md) | :heavy_check_mark: | :heavy_check_mark: |
| [Symfony](ct-tricks/Symfony.md) | | :heavy_check_mark: |
| [Laminas, Mezzio, Zend](ct-tricks/Mezzio.md) | :heavy_check_mark: | :heavy_check_mark: |
| [Yii](ct-tricks/Yii.md) | :question: | |
| [Wordpress](ct-tricks/Wordpress.md) | :question: | :question: |
| [CakePHP](ct-tricks/CakePHP.md) | :question: | :question: |
| [CodeIgniter](ct-tricks/CodeIgniter.md) | :question: | :question: |
| [Django](ct-tricks/Django.md) | :question: | :heavy_check_mark: |
| [Flask](ct-tricks/Flask.md) | | :heavy_check_mark: |
| [CherryPy](ct-tricks/CherryPy.md) | | :heavy_check_mark: |
| [Express body-parser](ct-tricks/Express_body-parser.md) | | |
| [Express multer](ct-tricks/Express_multer.md) | | :heavy_check_mark: |
| [Rails](ct-tricks/Rails.md) | | :heavy_check_mark: |