It's not so hard to build a form and submit it automatically with JavaScript in ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Ded7xSEoPKYNsDd on Nov 6, 2014 \| parent \| context \| favorite \| on: Reflected File Download: A New Web Attack Vector It's not so hard to build a form and submit it automatically with JavaScript in order to get a user's browser to do a POST request to any URL you want.

Someone1234 on Nov 6, 2014 [–]

That form wouldn't be on the same domain and therefore would hit CSRF protections.

Ded7xSEoPKYNsDd on Nov 6, 2014 | [–]

Yes, if you require a user-specific random token in the request, the exploit doesn't work. But that's independent of GET/POST and not what you said in your earlier post.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact