[Owasp-cincinnati] Demonstrate CSRF with Web app only accept POST

Zhou, Yan yzhou at medplus.com
Thu Jun 19 10:14:33 EDT 2008

Hi there, 


I want to demonstrate CSRF with a vulnerable Web application. 


Here is the idea, the user first login to the vulnerable web app (it
only accepts POST), and then the user will click on an "attack" web
page, which does an automatic form submit. That completes CSRF exercise.
However, once the form is submitted, the user will notice that because
the screen will have changed. 


How would you hide this so that user cannot see the result of form
submit.  I have tried page redirect but is not working as I expected.
The problem seems to be: once the form is submitted, I cannot rely on
any code after it being executed (simply because the server will now
respond with a different page) ....





Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmaster at MedPlus.com). After replying, please erase it from your computer system.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20080619/ec3cee9a/attachment.html 

More information about the Owasp-cincinnati mailing list