[WEB SECURITY] CSRF: Flash + 307 redirect = Game Over

Andy Steingruebl steingra at gmail.com
Thu Feb 10 16:34:25 EST 2011

On Thu, Feb 10, 2011 at 12:11 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
>> We see here that the POST request is being set to www.victim.com, with the additional headers and the POST body. Web server frameworks can no longer rely on the implied security of additional HTTP Request Headers alone to prevent CSRF.
> I think it would be more reasonable to convince Adobe to fix it, than
> to write off this mechanism as an XSRF defense... unfortunately, as I
> understand it, they are aware of this problem for a longer while (> 6
> months), and it's been quasi-public ever since...

Out of curiosity (and willing to confess my ignorance) is there a spec
somewhere that explains the "proper" behavior, is Adobe not following
that spec, and if not specified somewhere, where should this be?

Seems that every time a security defense gets created that relies on
certain aspects of browser behavior especially as it relates to
headers that are or are not sacrosanct, we end up with these sorts of
problems...  Obviously room for improvement.

- Andy

More information about the websecurity mailing list