iframe form pushing

sla.ckers.org is
ha.ckers sla.cking

Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc....

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

iframe form pushing

Posted by: Kyran

Date: August 14, 2011 05:15AM

I've got a great CSRF vuln. Can perform basically any action as the user with ease. But I want to automate certain tasks without redirecting the user around or them knowing what actions.

After creating an iframe in jscript via the dom, how can I create a form to POST from and submit it? I'm just unsure on how to call the submit in the iframe, from jscript inside the iframe.

- Kyran

Options: Reply•Quote

Re: iframe form pushing

Posted by: Reiners

Date: August 14, 2011 10:09AM

document.forms[0].submit() ?

Options: Reply•Quote

Re: iframe form pushing

Posted by: Kyran

Date: August 14, 2011 04:29PM

Naw that wouldn't work. I got it figured out. I have another problem though. Is there anyway to change/intercept the MIME type of a response with js or something? The response of my csrf is in json and opens up a file download on some browsers.

- Kyran

Options: Reply•Quote

Re: iframe form pushing

Posted by: Jean Pascal Pereira

Date: May 29, 2012 10:12AM

You can set a target frame in a form element. Create an invisible iframe and use it as target.

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login