[UPHPU] receiving with $_REQUEST

php at ericfaerber.com php at ericfaerber.com
Thu Feb 28 17:20:38 MST 2008


>>> This is called cross-site request forgery (CSRF):
>>> http://en.wikipedia.org/wiki/Cross-site_request_forgery
>> You could also write javascript to POST data on a page without the
>> user knowing it. This is a little more difficult to achieve but it's
>> still easy.
>
> How do you do this? As far as I know, XMLHttpRequest() doesn't allow
> cross-domain requests. I don't know of any other way to perform a POST
> without user intervention.
>
> This article by Chris Shiflett (author of PHP Security) was helpful,
> especially comments 4, 5, 37, and 38.
>
> http://shiflett.org/articles/cross-site-request-forgeries

I have not tried this but couldn't you set the action on a form to be the
URL of the page and use onload() to submit the form?


I tried the following and it submits the form. Users may notice a pause on
a blank page but most probably wouldn't think anything of it. I did not
check to see if the variables are accessible on the page I am submitting
the form to.

<html>
<head>
<script type="text/javascript">
function submitForm()
{
	document.myform.submit();
}
</script>

</head>
<body onload="submitForm();">

<form action="http://www.example.com" method="post" name="myform">
<input type="hidden" name="foo" value="bar" />
</form>

</body>
</html>



More information about the UPHPU mailing list