问题
We're intergrating our site with an external site using form posts. The form on our page will submit to extenal site on a different domain. Is this even possible? I thought that would be an injection attack.
回答1:
Yes it should be possible. Make sure you have enough validations in place so that you dont post harmfull data (and you are not held responsible) also I hope the other party has some server side validation as well.
回答2:
You probably want to learn more about the same-origin policy, this is the best writeup I have found: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
回答3:
There is a type of vulnerability is called Cross Site Request Forgeries or XSRF. XSRF has nothing to do with the type of data, but rather that the request originates from a different server. http://www.owasp.org/index.php/XSRF
Here is an XSRF exploit POST request that I wrote: http://www.exploit-db.com/exploits/7922/ This javascript is used to automatically fire off a form when the page is viewed:
<script>document.getElementById(1).submit();</script>
来源:https://stackoverflow.com/questions/1587815/cross-site-form-post-with-external-site-on-different-domain