Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
iframe form pushing
Posted by: Kyran
Date: August 14, 2011 05:15AM

I've got a great CSRF vuln. Can perform basically any action as the user with ease. But I want to automate certain tasks without redirecting the user around or them knowing what actions.

After creating an iframe in jscript via the dom, how can I create a form to POST from and submit it? I'm just unsure on how to call the submit in the iframe, from jscript inside the iframe.

- Kyran

Options: ReplyQuote
Re: iframe form pushing
Posted by: Reiners
Date: August 14, 2011 10:09AM

document.forms[0].submit() ?

Options: ReplyQuote
Re: iframe form pushing
Posted by: Kyran
Date: August 14, 2011 04:29PM

Naw that wouldn't work. I got it figured out. I have another problem though. Is there anyway to change/intercept the MIME type of a response with js or something? The response of my csrf is in json and opens up a file download on some browsers.

- Kyran

Options: ReplyQuote
Re: iframe form pushing
Date: May 29, 2012 10:12AM

You can set a target frame in a form element. Create an invisible iframe and use it as target.

Options: ReplyQuote


Sorry, only registered users may post in this forum.