[WEB SECURITY] prevent CSRF with origin header

James Kettle albinowax at gmail.com
Mon Mar 25 16:33:58 EDT 2013


I believe the Flash bug in question only allowed headers starting with
X- to be set:
http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/net/URLRequestHeader.html

cheers,

James Kettle

On Sun, Mar 24, 2013, at 02:39 PM, Tiago Mendo wrote:
> Hi,
> 
> The OWASP CSRF prevention cheat sheet
> (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet)
> mentions the origin header as a method to prevent CSRF.
> 
> But isn't this method vulnerable to the same problem that affected Rails
> some time ago, which was based on a malicious flash with a 307 redirect
> that in some circumstances would allow cross-domain custom header? 
> 
> 
> thanks
> 
> Tiago Mendo
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list