Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
HTML FORM POST submission across domains
Posted by: oneflewup
Date: January 28, 2007 07:00PM

I am researching XSRF and there is one thing I don't really understand.

Is HTTP FORM post allowed across domains? I realized that I can submit an HTTP POST form anywhere I want. The browser is not blocking it. In the case of AJAX I get access denied though.

So does this mean, by using an auto-submit form an attacker can forge a POST request to any domain?

Will this be blocked on the server side?

Pretty cool stuff anyways.

Edited 1 time(s). Last edit at 01/28/2007 07:01PM by oneflewup.

Options: ReplyQuote
Re: HTML FORM POST submission across domains
Posted by: WhiteAcid
Date: January 28, 2007 07:14PM

It's not blocked in any way unless explicitly coded in the application that processes the submitted data.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: HTML FORM POST submission across domains
Posted by: kuza55
Date: January 28, 2007 07:52PM

Like WhiteAcid said; it can be blocked, but most often it isn't. do a search for CSRF and CSRF protections and you'll see what issues this can cause and how people combat it.

Oh, and you can even have the form point to your domain, but have the user get redirected (with Post content intact) to another domain: http://ilia.ws/archives/152-Cross-Domain-POST-Redirection.html

Options: ReplyQuote

Sorry, only registered users may post in this forum.