WebApp Sec mailing list archives
Re: CSRF through POST
From: Robin Wood <dninja () gmail com>
Date: Tue, 22 Dec 2009 09:22:58 +0000
2009/12/22 chr1x <chr1x () sectester net>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Robin, I went over your question and looks pretty interesting, so, as Boaz said, the way that you can use is Javascript to do the job. Take this example: <form name="myform" action="handle-data.php"> Search: <input type='text' name='query' /> <a href="javascript: submitform()">Search</a> </form> <script type="text/javascript"> function submitform() { document.myform.submit(); } </script> Javascript uses a submit() method which is used for HTML Forms in order to send data over HTTP POST method. In this case, you can configure the Javascript given as example as you required.
Thanks, I've also seen the submit call being done through onDocumentLoad and from timers which seems to be an ideal way to work with multi-page forms. I'm building up a nice little arsenal of attacks here. Robin This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- CSRF through POST Robin Wood (Dec 15)
- Re: CSRF through POST arvind doraiswamy (Dec 16)
- Re: CSRF through POST Robin Wood (Dec 16)
- RE: CSRF through POST boaz.shunami (Dec 21)
- Re: CSRF through POST chr1x (Dec 21)
- Re: CSRF through POST Robin Wood (Dec 22)
- Re: CSRF through POST Robin Wood (Dec 16)
- Re: CSRF through POST Amish Shah (Dec 24)
- Re: CSRF through POST YGN Ethical Hacker Group (Dec 27)
- Re: CSRF through POST arvind doraiswamy (Dec 16)