|
Posted by Mark Shroyer on July 8, 2007, 12:16 am
If you were Registered and logged in, you could reply and use other advanced thread options > Mark Shroyer wrote:
>
>>> Mark Shroyer wrote:
>>>
>>>> Using POST instead of GET won't necessarily stop cross-site
>>>> request forgeries, though, if an attacker can get his victim to
>>>> execute a little bit of JavaScript...
>>> Hm? Even form.submit() causes a warning if the form submission
>>> method is POST.
>>
>> Generally speaking, that isn't true. Which browser are you using?
>
> Mozilla Seamonkey 1.1.2. Which browser don't have such a general
> check for POST?
None of the latest versions of Firefox, Safari, and IE 7 (the latter
operating with the default security settings for the Internet Zone)
will prevent scripts from submitting a form by POST or require user
authorization to do so. For example:
#v+
<html>
<head>
<title>JavaScript form submission example</title>
<script type="text/javascript">
submitForm = function()
{
document.forms["form"].submit();
}
</script>
</head>
<body onload="submitForm();">
<h1>JavaScript form submission example</h1>
<p>Test whether the web browser gives a warning on a JavaScript form
submission by POST.</p>
<form id="form" action="http://markshroyer.com/test/vars.php" method="post">
<input type="hidden" name="command" value="beEvil" />
</form>
</body>
</html>
#v-
To try it, visit this URL with JavaScript enabled:
http://plaza.ufl.edu/mshroyer/form.html
--
Mark Shroyer
http://markshroyer.com/
| 
XML site map