[Owasp-cincinnati] Demonstrate CSRF with Web app only accept POST

Joe Combs jcombs10 at cinci.rr.com
Fri Jun 20 17:44:51 EDT 2008

If you borrow a technique from the ajax crowd and do your submit in 
javascript via XMLHttpRequest you should get the desired behavior in 
your demo. The app could then silently swallow the result returned by 
the form submission.


Zhou, Yan wrote:
> Hi there,
> I want to demonstrate CSRF with a vulnerable Web application.
> Here is the idea, the user first login to the vulnerable web app (it 
> only accepts POST), and then the user will click on an “attack” web 
> page, which does an automatic form submit. That completes CSRF 
> exercise. However, once the form is submitted, the user will notice 
> that because the screen will have changed.
> How would you hide this so that user cannot see the result of form 
> submit. I have tried page redirect but is not working as I expected. 
> The problem seems to be: once the form is submitted, I cannot rely on 
> any code after it being executed (simply because the server will now 
> respond with a different page) ….
> Thanks,
> Yan
> *Confidentiality Notice:* The information contained in this electronic 
> transmission is confidential and may be legally privileged. It is 
> intended only for the addressee(s) named above. If you are not an 
> intended recipient, be aware that any disclosure, copying, 
> distribution or use of the information contained in this transmission 
> is prohibited and may be unlawful. If you have received this 
> transmission in error, please notify us by telephone (513) 229-5500 or 
> by email (postmaster at MedPlus.com). After replying, please erase it 
> from your computer system.
> ------------------------------------------------------------------------
> _______________________________________________
> Owasp-cincinnati mailing list
> Owasp-cincinnati at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cincinnati

More information about the Owasp-cincinnati mailing list