I'm trying to do some csrf attack test on a site.
I found that the site protect itself from csrf by checking the http Origin header.
But I guess maybe under some conditions I can bypass the protection. When I delete the Origin header, the csrf attack success.
It means that the server only check the Origin heaer for csrf protection and accept an "none" value.
Any way to do the following exploit please?
Aucun commentaire:
Enregistrer un commentaire