Munchkin ID and Form ID are available on every Marketo LP by using that value anyone can create the spam leads in any marketo instance using the above method. Is there any way to stop that? /save or /save2 should not work directly and do not create any lead?
That's the way the Marketo forms endpoint works, Arpit. (And the way any forms endpoint that doesn't specifically require a CSRF token works, not that's it's difficult to simulate a CSRF token.)
As Sanford mentioned, there is no CSRF (Cross-site request forgery) requirement for the marketo forms.
For your information, A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client. When the later request is made, the server-side application validates that the request includes the expected token and rejects the request if the token is missing or invalid.
CSRF tokens can prevent CSRF attacks by making it impossible for an attacker to construct a fully valid HTTP request suitable for feeding to a victim user. Since the attacker cannot determine or predict the value of a user's CSRF token, they cannot construct a request with all the parameters that are necessary for the application to honor the request.
Yes, and more to the point: for demand gen forms CSRF tokens make no sense, because there's no boundary between the authorized session and an unauthorized session on another domain.