ignore JSON requests in mod_csrf

wapiti-scanner · Apr 20, 2024 · 6bee660 · 6bee660
1 parent c21e85a
commit 6bee660
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/wapitiCore/attack/mod_csrf.py b/wapitiCore/attack/mod_csrf.py
@@ -173,6 +173,11 @@ async def must_attack(self, request: Request, response: Optional[Response] = Non
         if request.method != "POST":
             return False
 
+        # JSON requests can only be sent using JS with same-origin policy in place
+        # so, it is unlikely that a CSRF is possible. Let's filter those requests to prevent false positives
+        if request.is_json:
+            return False
+
         if (request.url, request.post_keys) in self.already_vulnerable:
             return False