I recently had cause to create a proof-of-concept for a site that seemed to be vulnerable to Cross-Site Request Forgery (CSRF).  I say “seemed” because there was no CSRF protection, but I was finding the XML POST body really hard to forge (It was a SOAP / XMLRPC type request). Eventually Sid from notsosecure.com pointed […]