2.6. Spoofed Form Submissions
Spoofing a form is almost as easy as manipulating a URL. After all, the submission of a form is just an HTTP request sent by the browser. The request format is somewhat determined by the form, and some of the data within the request is provided by the user.
Most forms specify an action as a relative URL:
<form action="process.php" method="POST">
The browser requests the URL identified by the action attribute upon form submission, and it uses the current URL to resolve relative URLs. For example, if the previous form is in the response to a request for http://example.org/path/to/form.php, the URL requested after the user submits the form is http://example.org/path/to/process.php.
Knowing this, it is easy to realize that you can indicate an absolute URL, allowing the form to reside anywhere:
<form action="http://example.org/path/to/process.php" method="POST">
This form can be located anywhere, and a request sent using this form is identical to a request sent using the original form. Knowing this, an attacker can view the source of a page, save that source to his server, and modify the action attribute to specify an absolute URL. With these modifications in place, the attacker can alter the form as desiredwhether to eliminate a maxlength restriction, eliminate client-side data validation, alter the value of hidden form elements, or modify form element types to provide more flexibility. These modifications help an attacker to submit arbitrary data to the server, and the process is very easy and convenientthe attacker doesn't have to be an expert.
Although it might seem surprising, form spoofing isn't something you can prevent, nor is it something you should worry about. As long as you properly filter input, users have to abide by your rules. However they choose to do so is irrelevant.