[WEB SECURITY] CSRF: Flash + 307 redirect = Game Over

Sripathi Krishnan sripathi.krishnan at gmail.com
Thu Feb 10 15:50:56 EST 2011

Thanks for sharing this. I assumed it would be flash because RoR team made a
backward incompatible change to their library to fix this issue.

Michal - I agree Flash should fix this. What's their justification for not
doing so?


On 11 February 2011 01:41, Michal Zalewski <lcamtuf at coredump.cx> wrote:

> > We see here that the POST request is being set to www.victim.com, with
> the additional headers and the POST body. Web server frameworks can no
> longer rely on the implied security of additional HTTP Request Headers alone
> to prevent CSRF.
> I think it would be more reasonable to convince Adobe to fix it, than
> to write off this mechanism as an XSRF defense... unfortunately, as I
> understand it, they are aware of this problem for a longer while (> 6
> months), and it's been quasi-public ever since...
> /mz
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110211/69b19bef/attachment-0003.html>

More information about the websecurity mailing list