Hi,
The OWASP CSRF prevention cheat sheet (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet) mentions the origin header as a method to prevent CSRF.
But isn't this method vulnerable to the same problem that affected Rails some time ago, which was based on a malicious flash with a 307 redirect that in some circumstances would allow cross-domain custom header?
thanks
Tiago Mendo
I believe the Flash bug in question only allowed headers starting with
X- to be set:
http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/net/URLRequestHeader.html
cheers,
James Kettle
On Sun, Mar 24, 2013, at 02:39 PM, Tiago Mendo wrote:
Hi,
The OWASP CSRF prevention cheat sheet
(https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet)
mentions the origin header as a method to prevent CSRF.
But isn't this method vulnerable to the same problem that affected Rails
some time ago, which was based on a malicious flash with a 307 redirect
that in some circumstances would allow cross-domain custom header?
thanks
Tiago Mendo
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi,
BTW, what's about browser's support of Origin header? FF/Chrome/Opera/IE?
On Sunday 24 March 2013 18:39 Tiago Mendo wrote:
Hi,
The OWASP CSRF prevention cheat sheet
(https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Pre
vention_Cheat_Sheet) mentions the origin header as a method to prevent
CSRF.
But isn't this method vulnerable to the same problem that affected Rails
some time ago, which was based on a malicious flash with a 307 redirect
that in some circumstances would allow cross-domain custom header?
thanks
Tiago Mendo
--
Taras
http://oxdef.info
GPG: C8D1F510
Hello,
I manage the cheat sheet series for OWASP.
I'm looking for a volunteer to fully rewrite the CSRF Cheatsheet. It
needs a major refresh. If anyone is interested, please drop me a line.
Jim Manico
@Manicode
(808) 652-3805
On Apr 1, 2013, at 12:53 AM, Taras oxdef@oxdef.info wrote:
Hi,
BTW, what's about browser's support of Origin header? FF/Chrome/Opera/IE?
On Sunday 24 March 2013 18:39 Tiago Mendo wrote:
Hi,
The OWASP CSRF prevention cheat sheet
(https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Pre
vention_Cheat_Sheet) mentions the origin header as a method to prevent
CSRF.
But isn't this method vulnerable to the same problem that affected Rails
some time ago, which was based on a malicious flash with a 307 redirect
that in some circumstances would allow cross-domain custom header?
thanks
Tiago Mendo
--
Taras
http://oxdef.info
GPG: C8D1F510
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org