cgdjmrsp at gmail.com
Mon Aug 18 17:09:49 UTC 2014
Hi, I'm a recent compsci grad trying to learn about infosec and
pen-testing. I've been playing with Metasploitable and Mutillidae and I
have a question that's not about Mutillidae per se (though it is directly
If this is not the appropriate place for such a question, I apologize, and
feel free to ignore the rest of this email.
On the Mutillidae add-to-blog page
(/mutillidae/index.php?page=add-to-your-blog.php) one of the CSRF hints
contains some code for an HTML form injection that includes the following
this creates a bit of text that should do the following upon mouseover:
1. save the current URL
2. submit form 'CSRF'
3. return to the saved URL
but in practice it does something very strange. Instead of submitting the
form as a POST, it submits it as a GET, and so the form is not properly
submitted. If I remove the statement "document.location.href=lURL;", it
submits the form correctly (though obviously the browser then doesn't
return to the original page).
My guess is that this is some sort of same-origin policy policing on the
browser's part, but I really have no idea how it's happening or why. Any
ideas as to what's going on?
I'm using Mutillidae 2.1.19 on Kali; the browser is IceWeasel 24.7.0.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp_mutillidae_2_project