any way to bypass preflighted XHR request in a CSRF attack?
i found a website where they have as a CSRF protection CORS and a short custom header (without token - just a header that is for all users). i found a way to bypass the CORS protection but when trying to reproduce the vulnerability i need to add the custom header too.
The header is like --> something: v2
So it doesn't have a token or anything, but when adding it in the XHR PoC generated by burp suite pro i get the request preflighted and going as OPTIONS. is there any way to bypass this?
I think there is a way because if not, all websites should add a small custom header in all requests to be protected against CSRF.
Hi, Could you clarify if you are asking if there is any way to prevent the Preflight Request when submitting the XHR PoC from the browser?