Hi, The OWASP CSRF prevention cheat sheet (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet) mentions the origin header as a method to prevent CSRF. But isn't this method vulnerable to the same problem that affected Rails some time ago, which was based on a malicious flash with a 307 redirect that in some circumstances would allow cross-domain custom header? thanks Tiago Mendo

I believe the Flash bug in question only allowed headers starting with X- to be set: http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/net/URLRequestHeader.html cheers, James Kettle On Sun, Mar 24, 2013, at 02:39 PM, Tiago Mendo wrote: > Hi, > > The OWASP CSRF prevention cheat sheet > (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet) > mentions the origin header as a method to prevent CSRF. > > But isn't this method vulnerable to the same problem that affected Rails > some time ago, which was based on a malicious flash with a 307 redirect > that in some circumstances would allow cross-domain custom header? > > > thanks > > Tiago Mendo > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hi, BTW, what's about browser's support of Origin header? FF/Chrome/Opera/IE? On Sunday 24 March 2013 18:39 Tiago Mendo wrote: > Hi, > > The OWASP CSRF prevention cheat sheet > (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Pre > vention_Cheat_Sheet) mentions the origin header as a method to prevent > CSRF. > > But isn't this method vulnerable to the same problem that affected Rails > some time ago, which was based on a malicious flash with a 307 redirect > that in some circumstances would allow cross-domain custom header? > > > thanks > > Tiago Mendo -- Taras http://oxdef.info GPG: C8D1F510

Hello, I manage the cheat sheet series for OWASP. I'm looking for a volunteer to fully rewrite the CSRF Cheatsheet. It needs a major refresh. If anyone is interested, please drop me a line. Regards, -- Jim Manico @Manicode (808) 652-3805 On Apr 1, 2013, at 12:53 AM, Taras <oxdef@oxdef.info> wrote: > Hi, > > BTW, what's about browser's support of Origin header? FF/Chrome/Opera/IE? > > On Sunday 24 March 2013 18:39 Tiago Mendo wrote: >> Hi, >> >> The OWASP CSRF prevention cheat sheet >> (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Pre >> vention_Cheat_Sheet) mentions the origin header as a method to prevent >> CSRF. >> >> But isn't this method vulnerable to the same problem that affected Rails >> some time ago, which was based on a malicious flash with a 307 redirect >> that in some circumstances would allow cross-domain custom header? >> >> >> thanks >> >> Tiago Mendo > > > -- > Taras > http://oxdef.info > GPG: C8D1F510 > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org