问题
I'm try to see if a website is vulnerable to CSRF with following code
<html>
<body>
<div>
<iframe width="0" height="0" border="0" name="dummyframe" id="dummyframe"></iframe>
<form action="TARGET_SITE" method="GET" id="get_site" target="dummyframe"></form>
<script>
document.getElementById("get_site").submit();
var e = document.getElementById("dummyframe");
if(e != null) {
alert(e.contentWindow.document.body.innerHTML);
}
</script>
</div>
</body>
</html>The iframe tag is added here to avoid the page redirect when the form is submitted from the java script. When the form is being submitted, i do see a HTML response with some interesting information which i would want access.
But how do i access that HTML response, either from the iframe or form tag, the alert window in the example pops up but it doesn't print anything.
Thanks
回答1:
If all you want to do is obtain the HTML of an external page and add that to an <iframe>, then you need to use a server-side language (NodeJS, PHP, Python), because of this reason (thanks @Hannes):
All common Browsers do not allows Javasript Calls to access any Pages with another (sub)Domain because of the Same Origin Policy. The only way to work around that is to set up some kind of "proxy" on your own server (for example an php Script) that runs under the same Domain, gets the Information you want from a third source and prints them out.
Taken from here.
来源:https://stackoverflow.com/questions/52462888/csrf-attack-with-form-get-and-iframe