Hacker News new | comments | show | ask | jobs | submit login
Show HN: Send POST requests via simple URLs (getposted.io)
60 points by CJKinni on Apr 21, 2017 | hide | past | web | favorite | 29 comments

I recommend taking frequent looks at your access log for the URLs you're serving up. One day you may discover you're part of something you don't want to be part of.

This doesn't enable anything that wasn't already possible; it would be trivial for a bad actor to put up a redirector like this, after all. Still, at least when they do that, it's something they did and you have no responsibility.

I don't even know exactly what it is you don't want to be part of. It's just the possible range of URLs you probably will eventually start seeing come through will cross some sort of line for almost any given individual.

Back in 2008 (high school) I discovered this exact method enabled automatic creation of google accounts from many different visitor ip addresses, because google signup form did not have csrf protection. It was possible to hide all (pre-filled) form values except the captcha from the user. So to the user it looked like they were just filling out a captcha on a random website, but actually they were creating a new google account (using their IP address).

I hadn't heard of responsible disclosure at the time. ¯\_(ツ)_/¯

Once upon a time I wrote a java applet, which looked like it was showing an animation, but was secretly calculating digits of PI.

Over a period of a few months I got quite a decent result from people who'd just happened to visit my website.

Not quite as malicious as your story but equally nefarious.

Isn't this basically CSRF-as-a-service?

Could be useful for proof-of-concepts. Though, if you are a site-owner and your form can be submitted with this, you should probably consider implementing anti-csrf protections.

That was exactly what I was thinking, you don't even need to create an account or anything it seems.

But without the cookies.

> This service works by providing a hidden form that is built on page-load and uses javascript to 'click' the form submission. This means cookies will work correctly for the site you've submitted to, but you need to have a javascript enabled browser to use the service.

So, with cookies.

Good point.

Great for pentesting!

I would have liked it id it was completly client side parsing the parameters in javascript. That way you could host it on a static page.

That's a really good point. It definitely should work that way.

Ok, this was fun to write, I get it. But it serves no real needs, and it may do a lot of harm to you and others.

Awesome! Thanks for sharing. This is going to be really useful for doing CSRF attacks in XSS challenges at CTFs. I always just write the javascript to construct and post the form by hand, but this will be much faster, especially because you can just iframe it.

Postman and similar software work great, but good idea.

+1 for Postman. Great tool.

Insomnia is also great.

Paw is great, too.

There should be no forms on the internet that allow CSRF like this. I'd be more concerned about finding a form that allows this than any privacy issues around using this unknown service to submit forms.

There are certainly a lot of forms that this should not work on, I think it's a stretch to say that no forms on the internet should let this work. The login form on news.ycombinator.com even works:

You could try:


But you shouldn't. That use case is specifically why I bring up the privacy issues surrounding using it.

Not saying the service owner is a bad guy but this is in the category of online tools that always makes me nervous, along with:

- password strength checkers

- JSON, YAML, EDN, whatever prettiers

- checksum generators

- Base64 (en|de)coders

- etc.

Password strength checkers when signing up to a websitr don't send anything over the wire. They generally just analyze the entropy of a password and give live feedback to improve password strength. Why do they make your nervous?

at least with some of those you can verify nothing is going over the wire via network inspection tab, with this you're guaranteed everything is going over the wire and there's no way to prove they aren't inspecting your traffic.

> If you're not comfortable with anyone seeing what you're sending, > don't send it via a website you found out about 15 minutes ago.

Says it all.

I don't need a service to send this

data:text/html,<form method=post action=URL>params...<input type=submit></form>

Short, discrete and to the point.

I'd recommend some examples (maybe some POST requests to third party services and what they return).

For the use case described it seems like better UX to auto-fill a form via query params than to auto submit it for the user.

I mean that's essentially what it's doing — why bother using a third party service at all?

Is there a specific reason (related to POST requests or anything -- I know absolutely nothing about HTTP) that this doesn't have https?

No thank you.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact