CSRF bypass changing content type

[martinbydefault]

When reading this section: https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/csrf-cross-site-request-forgery.md#content-type-change I'm not sure if this is correct. It says that:

You can change to POST Content-Type to application/json, application/x-url-encoded or form-multipart and maybe you will be able to bypass the CSRF token.

Instead of application/json, shouldn't be text/plain?

As far as I know, the three content types that doesn't trigger CORS Preflight Request are (reference: MDN):

• application/x-www-form-urlencoded
• multipart/form-data
• text/plain

[carlospolop]

Hi @martinbydefault,

Thank you for your info! Actually the original idea of that part of the post was to indicate that a different content-type may trigger a different behaviour in the server. However, I have added your information in that part of the post and in the CORS page, so thanks!