[WEB SECURITY] CSRF: Flash + 307 redirect = Game Over

kuza55 kuza55 at gmail.com
Tue Feb 22 18:16:44 EST 2011

I'd just like to clarify (for the lulz), that Adobe have been aware of
this since May 2008.

However if it no longer works on IE, it means that some progress is
being made, because from what I heard the issue for Adobe was that
none of the browsers gave them enough control to be able to stop this.

On 11 February 2011 07:11, Michal Zalewski <lcamtuf at coredump.cx> wrote:
>> We see here that the POST request is being set to www.victim.com, with the additional headers and the POST body. Web server frameworks can no longer rely on the implied security of additional HTTP Request Headers alone to prevent CSRF.
> I think it would be more reasonable to convince Adobe to fix it, than
> to write off this mechanism as an XSRF defense... unfortunately, as I
> understand it, they are aware of this problem for a longer while (> 6
> months), and it's been quasi-public ever since...
> /mz
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list