Taiga Shirakura

Taiga Shirakura has been researching security since his student days and currently works at Mitsui Bussan Secure Directions, Inc. (MBSD), conducting web application security assessments and penetration testing. He enjoys vulnerability research as a hobby and has obtained multiple CVEs in web frameworks by investigating gaps between specifications and implementations in HTTP headers, URLs, and related areas.

Simple Request Blind Spots Overlooked by Web Frameworks - Four Pitfalls in Modern CSRF Protection

Origin header validation combined with Simple Request checking is a modern CSRF protection technique. However, many web frameworks that implemented this approach had validation flaws due to misunderstanding the detailed browser specifications. There is a gap between how Simple Requests are explained in the context of CORS and how browsers actually send requests—a gap that you cannot notice just by reading MDN or technical books.

In this talk, I focus on Content-Type validation flaws and demonstrate vulnerabilities I discovered in several popular web frameworks, along with the actual requests browsers send.

I will present four patterns of validation flaws, explain the pitfalls that even framework developers overlooked in modern CSRF protection, and describe correct implementation practices.