Wireless and Wifi Forums - View Single Post - Can anyone interpret this paragraph from "Connected: An Internet Encyclopedia"?

#14 (**permalink**) 07-08-2007, 05:16 AM

On 2007-07-07, Sebastian G. <seppi@seppig.de> wrote:
> Mark Shroyer wrote:
>
>> On 2007-07-07, Sebastian G. <seppi@seppig.de> wrote:
>>> Mark Shroyer wrote:
>>>
>>>> Using POST instead of GET won't necessarily stop cross-site
>>>> request forgeries, though, if an attacker can get his victim to
>>>> execute a little bit of JavaScript...
>>> Hm? Even form.submit() causes a warning if the form submission
>>> method is POST.
>>
>> Generally speaking, that isn't true. Which browser are you using?
>
> Mozilla Seamonkey 1.1.2. Which browser don't have such a general
> check for POST?

None of the latest versions of Firefox, Safari, and IE 7 (the latter
operating with the default security settings for the Internet Zone)
will prevent scripts from submitting a form by POST or require user
authorization to do so. For example:

#v+
<html>
<head>
<title>JavaScript form submission example</title>
<script type="text/javascript">
submitForm = function()
{
document.forms["form"].submit();
}
</script>
</head>
<body onload="submitForm();">
<h1>JavaScript form submission example</h1>
<p>Test whether the web browser gives a warning on a JavaScript form
submission by POST.</p>
<form id="form" action="http://markshroyer.com/test/vars.php" method="post">
<input type="hidden" name="command" value="beEvil" />
</form>
</body>
</html>
#v-

To try it, visit this URL with JavaScript enabled:
http://plaza.ufl.edu/mshroyer/form.html

--
Mark Shroyer
http://markshroyer.com/