https://systemoverlord.com/tags/hacks.htmlRecent content in Hacks on System OverlordHugoen-usdavid@systemoverlord.com (David Tomaschik)david@systemoverlord.com (David Tomaschik)Wed, 24 Aug 2016 00:00:00 +0000https://systemoverlord.com/2016/08/24/posting-json-with-an-html-form.htmlWed, 24 Aug 2016 00:00:00 +0000david@systemoverlord.com (David Tomaschik)https://systemoverlord.com/2016/08/24/posting-json-with-an-html-form.html<p>A coworker and I were looking at an application today that, like so many other modern web applications, offers a RESTful API with JSON being used for serialization of requests/responses. She noted that the application didn&rsquo;t include any sort of CSRF token and didn&rsquo;t seem to use any of the headers (X-Requested-With, Referer, Origin, etc.) as a &ldquo;poor man&rsquo;s CSRF token&rdquo;, but since it was posting JSON, was it really vulnerable to CSRF? <strong>Yes, yes, definitely yes!</strong></p>