Can applications using only POST be vulnerable?
Yes. An attacker could craft a web form on site A and using JavaScript auto submit the form to a target location of Site b. If the application containing the CSRF payload uses a browser component that runs in the local zone, then sending remote POST requests to any website is possible using XMLHTTP or similar objects. There’s another way to attack a website using purely POST based parameters, however this depends entirely on how the web application was developed. Popular web based libraries such as Perl’s CGI.PM module allow a developer to fetch a parameter without caring if it came in through a GET or POST request. As is the case with certain usages of CGI.PM, POST requests can be converted to GET by the attacker and the application action will still be performed. Below is an example. Perl’s CGI.PM —————————— use CGI qw(:all); $value = param(‘foo’); print “Content-type: text/html\n\n”; print “The ‘foo’ parameter value is $value\n\n\n”; —————————–
