Show HN: Send POST requests via simple URLs (opens in new tab)

Isn't this basically CSRF-as-a-service?

Postman and similar software work great, but good idea.

Not saying the service owner is a bad guy but this is in the category of online tools that always makes me nervous, along with:

- password strength checkers

- JSON, YAML, EDN, whatever prettiers

- checksum generators

- Base64 (en|de)coders

- etc.

Back in 2008 (high school) I discovered this exact method enabled automatic creation of google accounts from many different visitor ip addresses, because google signup form did not have csrf protection. It was possible to hide all (pre-filled) form values except the captcha from the user. So to the user it looked like they were just filling out a captcha on a random website, but actually they were creating a new google account (using their IP address).

I hadn't heard of responsible disclosure at the time. ¯\_(ツ)_/¯

I would have liked it id it was completly client side parsing the parameters in javascript. That way you could host it on a static page.

There should be no forms on the internet that allow CSRF like this. I'd be more concerned about finding a form that allows this than any privacy issues around using this unknown service to submit forms.

I recommend taking frequent looks at your access log for the URLs you're serving up. One day you may discover you're part of something you don't want to be part of.

This doesn't enable anything that wasn't already possible; it would be trivial for a bad actor to put up a redirector like this, after all. Still, at least when they do that, it's something they did and you have no responsibility.

I don't even know exactly what it is you don't want to be part of. It's just the possible range of URLs you probably will eventually start seeing come through will cross some sort of line for almost any given individual.

Ok, this was fun to write, I get it. But it serves no real needs, and it may do a lot of harm to you and others.

Awesome! Thanks for sharing. This is going to be really useful for doing CSRF attacks in XSS challenges at CTFs. I always just write the javascript to construct and post the form by hand, but this will be much faster, especially because you can just iframe it.

> If you're not comfortable with anyone seeing what you're sending, > don't send it via a website you found out about 15 minutes ago.

Says it all.

I don't need a service to send this

data:text/html,<form method=post action=URL>params...<input type=submit></form>

Short, discrete and to the point.

I'd recommend some examples (maybe some POST requests to third party services and what they return).

For the use case described it seems like better UX to auto-fill a form via query params than to auto submit it for the user.

I mean that's essentially what it's doing — why bother using a third party service at all?

Is there a specific reason (related to POST requests or anything -- I know absolutely nothing about HTTP) that this doesn't have https?

No thank you.