Could be useful for proof-of-concepts. Though, if you are a site-owner and your form can be submitted with this, you should probably consider implementing anti-csrf protections.
> This service works by providing a hidden form that is built on page-load and uses javascript to 'click' the form submission. This means cookies will work correctly for the site you've submitted to, but you need to have a javascript enabled browser to use the service.
There should be no forms on the internet that allow CSRF like this. I'd be more concerned about finding a form that allows this than any privacy issues around using this unknown service to submit forms.
There are certainly a lot of forms that this should not work on, I think it's a stretch to say that no forms on the internet should let this work. The login form on news.ycombinator.com even works:
I recommend taking frequent looks at your access log for the URLs you're serving up. One day you may discover you're part of something you don't want to be part of.
This doesn't enable anything that wasn't already possible; it would be trivial for a bad actor to put up a redirector like this, after all. Still, at least when they do that, it's something they did and you have no responsibility.
I don't even know exactly what it is you don't want to be part of. It's just the possible range of URLs you probably will eventually start seeing come through will cross some sort of line for almost any given individual.
at least with some of those you can verify nothing is going over the wire via network inspection tab, with this you're guaranteed everything is going over the wire and there's no way to prove they aren't inspecting your traffic.
Password strength checkers when signing up to a websitr don't send anything over the wire. They generally just analyze the entropy of a password and give live feedback to improve password strength. Why do they make your nervous?
Back in 2008 (high school) I discovered this exact method enabled automatic creation of google accounts from many different visitor ip addresses, because google signup form did not have csrf protection. It was possible to hide all (pre-filled) form values except the captcha from the user. So to the user it looked like they were just filling out a captcha on a random website, but actually they were creating a new google account (using their IP address).
I hadn't heard of responsible disclosure at the time. ¯\_(ツ)_/¯
Awesome! Thanks for sharing. This is going to be really useful for doing CSRF attacks in XSS challenges at CTFs. I always just write the javascript to construct and post the form by hand, but this will be much faster, especially because you can just iframe it.
29 comments
[ 9.7 ms ] story [ 494 ms ] threadI'd recommend some examples (maybe some POST requests to third party services and what they return).
So, with cookies.
You could try:
http://getposted.io/post?action=https://news.ycombinator.com...
But you shouldn't. That use case is specifically why I bring up the privacy issues surrounding using it.
This doesn't enable anything that wasn't already possible; it would be trivial for a bad actor to put up a redirector like this, after all. Still, at least when they do that, it's something they did and you have no responsibility.
I don't even know exactly what it is you don't want to be part of. It's just the possible range of URLs you probably will eventually start seeing come through will cross some sort of line for almost any given individual.
- password strength checkers
- JSON, YAML, EDN, whatever prettiers
- checksum generators
- Base64 (en|de)coders
- etc.
Says it all.
I hadn't heard of responsible disclosure at the time. ¯\_(ツ)_/¯
Over a period of a few months I got quite a decent result from people who'd just happened to visit my website.
Not quite as malicious as your story but equally nefarious.
I mean that's essentially what it's doing — why bother using a third party service at all?
data:text/html,<form method=post action=URL>params...<input type=submit></form>