22Eyl
Why do most examples of CSRF use roundabout ways of executing an API call instead of just using pure Javascript?
When I see examples of CSRF attacks, it is almost always explained with someone entering some external API url in an <img>
tag, e.g. <img src="bank.com/transfer?amount=10000?recipient=badguy">
. Or it involves a form which when submitted executes a POST request to bank.com.
My question is why not just include the API call in a <script>
tag? For example,
<html>
...
<script>
fetch("bank.com/transfer?amount=10000?recipient=badguy", method: "POST");
</script>
</html>
Wouldn't this have the same effect, or perhaps even greater effect since the user wouldn't have to manually submit a form?