[WEB SECURITY] CSRF: Flash + 307 redirect = Game Over

Michal Zalewski lcamtuf at coredump.cx
Thu Feb 10 15:11:06 EST 2011

> We see here that the POST request is being set to www.victim.com, with the additional headers and the POST body. Web server frameworks can no longer rely on the implied security of additional HTTP Request Headers alone to prevent CSRF.

I think it would be more reasonable to convince Adobe to fix it, than
to write off this mechanism as an XSRF defense... unfortunately, as I
understand it, they are aware of this problem for a longer while (> 6
months), and it's been quasi-public ever since...


More information about the websecurity mailing list