«
»

XSRF POST Testing

February 3rd, 2010 by mopey

POC XSRFs that only allow POST is not as straightforward as the GET. I use something like the following for situations like that.

<html>
<head></head>
<body>
<script>
function poststuff() {
  var site = document.getElementById("posturl").value;
  var post_data = document.getElementById("postparam").value;
  alert("site: " + site);
  alert("pdata: " + post_data);
  var xmlhttp=new XMLHttpRequest();
  xmlhttp.open("POST", site, true);
  xmlhttp.onreadystatechange = function () {
  if (xmlhttp.readyState == 4) {
    alert(xmlhttp.responseText);
    }
  };
  xmlhttp.send(post_data);
}
</script>

<form>
  URL <input type="text" id="posturl" /><br />
  POST <input type="text" id="postparam" /><br />
  <input type="button"
     onclick="poststuff()"
     value="xsrf" />
</form>
</body>

Tags:

This entry was posted on Wednesday, February 3rd, 2010 at 20:40 and is filed under GrayHat. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

No computers were harmed in the 0.268 seconds it took to produce this page.