dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial version for JWT

Browse Source
This commit is contained in:
Nanne Baars
2018-04-23 11:09:30 +02:00
parent 63ca11a1bb
commit ea9c1a453d
25 changed files with 690 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_JSON.adoc
View File

@ -3,7 +3,7 @@
A lot of web applications implement no protection against CSRF they are somehow protected by the fact that
they only work with `application/json` as content type. The only way to make a request with this content-type from the
browser is with a XHR request. Before the browser can make such a request a preflight request will be made towards
the server (remember the CSRF request will be cross origin). If the preflight response does not allow the cross origin
the server (remember the CSRF request will be cross origin). If the pre-flight response does not allow the cross origin
request the browser will not make the call.
To make a long answer short: this is *not* a valid protection against CSRF.