[Catalyst] CSRF

Moritz Onken onken at houseofdesign.de
Tue Sep 30 19:08:38 BST 2008


Am 30.09.2008 um 19:20 schrieb Ashley:

> On Sep 30, 2008, at 10:08 AM, Moritz Onken wrote:
>> "attackers can use POST"
>>
>> This is possible due to the fact that flash movies can send any  
>> request to a server.
>> You can achieve this even with a XMLHTTPRequest.
>
> If scripting is involved that makes it a XSS attack instead, though.  
> No?
>
> -Ashley

I was wrong about the XMLHttprequest. Posting to another server is not  
possible as of the same origin policy.
But flash movies can send post request to a different server without  
user interaction.

XSS is more like posting a javascript snippet to a facebook wall which  
does some javascript actions in the context of the user who opens that  
wall.

cheers,

moritz



More information about the Catalyst mailing list