
Show HN: Send POST requests via simple URLs - CJKinni
http://getposted.io
======
jerf
I recommend taking frequent looks at your access log for the URLs you're
serving up. One day you may discover you're part of something you don't want
to be part of.

This doesn't enable anything that wasn't already possible; it would be trivial
for a bad actor to put up a redirector like this, after all. Still, at least
when they do that, it's something they did and you have no responsibility.

I don't even know exactly what it is you don't want to be part of. It's just
the possible range of URLs you probably will eventually start seeing come
through will cross some sort of line for almost any given individual.

------
chatmasta
Back in 2008 (high school) I discovered this exact method enabled automatic
creation of google accounts from many different visitor ip addresses, because
google signup form did not have csrf protection. It was possible to hide all
(pre-filled) form values except the captcha from the user. So to the user it
looked like they were just filling out a captcha on a random website, but
actually they were creating a new google account (using their IP address).

I hadn't heard of responsible disclosure at the time. ¯\\_(ツ)_/¯

~~~
stevekemp
Once upon a time I wrote a java applet, which looked like it was showing an
animation, but was secretly calculating digits of PI.

Over a period of a few months I got quite a decent result from people who'd
just happened to visit my website.

Not quite as malicious as your story but equally nefarious.

------
avian
Isn't this basically CSRF-as-a-service?

~~~
y7
But without the cookies.

~~~
niftich
> _This service works by providing a hidden form that is built on page-load
> and uses javascript to 'click' the form submission. This means cookies will
> work correctly for the site you've submitted to, but you need to have a
> javascript enabled browser to use the service._

So, with cookies.

------
callesgg
I would have liked it id it was completly client side parsing the parameters
in javascript. That way you could host it on a static page.

~~~
CJKinni
That's a really good point. It definitely should work that way.

------
fiatjaf
Ok, this was fun to write, I get it. But it serves no real needs, and it may
do a lot of harm to you and others.

------
awirth
Awesome! Thanks for sharing. This is going to be really useful for doing CSRF
attacks in XSS challenges at CTFs. I always just write the javascript to
construct and post the form by hand, but this will be much faster, especially
because you can just iframe it.

------
nkkollaw
Postman and similar software work great, but good idea.

~~~
taytus
+1 for Postman. Great tool.

~~~
dmlittle
Insomnia is also great.

------
nathancahill
There should be no forms on the internet that allow CSRF like this. I'd be
more concerned about finding a form that allows this than any privacy issues
around using this unknown service to submit forms.

~~~
CJKinni
There are certainly a lot of forms that this should not work on, I think it's
a stretch to say that no forms on the internet should let this work. The login
form on news.ycombinator.com even works:

You could try:

[http://getposted.io/post?action=https://news.ycombinator.com...](http://getposted.io/post?action=https://news.ycombinator.com/login&acct=nathancahill&pw=YourPassword)

But you shouldn't. That use case is specifically why I bring up the privacy
issues surrounding using it.

------
unit91
Not saying the service owner is a bad guy but this is in the category of
online tools that always makes me nervous, along with:

\- password strength checkers

\- JSON, YAML, EDN, whatever prettiers

\- checksum generators

\- Base64 (en|de)coders

\- etc.

~~~
codelitt
Password strength checkers when signing up to a websitr don't send anything
over the wire. They generally just analyze the entropy of a password and give
live feedback to improve password strength. Why do they make your nervous?

------
valbaca
> If you're not comfortable with anyone seeing what you're sending, > don't
> send it via a website you found out about 15 minutes ago.

Says it all.

------
homakov
I don't need a service to send this

data:text/html,<form method=post action=URL>params...<input
type=submit></form>

------
WrtCdEvrydy
Short, discrete and to the point.

I'd recommend some examples (maybe some POST requests to third party services
and what they return).

------
tedmiston
For the use case described it seems like better UX to auto-fill a form via
query params than to auto submit it for the user.

I mean that's essentially what it's doing — why bother using a third party
service at all?

------
zkms
Is there a specific reason (related to POST requests or anything -- I know
absolutely nothing about HTTP) that this doesn't have https?

------
mmosta
No thank you.

