|
|
|
|
|
|
by jamessocol
5083 days ago
|
|
|
> In order to issue a POST request to siteA from the evil page, the attacker only has to submit a crafted POST form using an iframe. Yes, but requiring POST for anything that changes anything (especially bank transfers) is a best practice anyway, for how all actors involved understand HTTP verbs, and reduces the surface area of attack. You can create a POST with an iframe, but you can create a GET with an image tag: `<img src="http://mybank.com/transfer?...>` |
|
|