[Catalyst] CSRF
Moritz Onken
onken at houseofdesign.de
Tue Sep 30 19:08:38 BST 2008
Am 30.09.2008 um 19:20 schrieb Ashley:
> On Sep 30, 2008, at 10:08 AM, Moritz Onken wrote:
>> "attackers can use POST"
>>
>> This is possible due to the fact that flash movies can send any
>> request to a server.
>> You can achieve this even with a XMLHTTPRequest.
>
> If scripting is involved that makes it a XSS attack instead, though.
> No?
>
> -Ashley
I was wrong about the XMLHttprequest. Posting to another server is not
possible as of the same origin policy.
But flash movies can send post request to a different server without
user interaction.
XSS is more like posting a javascript snippet to a facebook wall which
does some javascript actions in the context of the user who opens that
wall.
cheers,
moritz
More information about the Catalyst
mailing list