[Catalyst] CSRF
Wade.Stuart at fallon.com
Wade.Stuart at fallon.com
Tue Sep 30 20:15:50 BST 2008
Moritz Onken <onken at houseofdesign.de> wrote on 09/30/2008 01:08:38 PM:
>
> Am 30.09.2008 um 19:20 schrieb Ashley:
>
> > On Sep 30, 2008, at 10:08 AM, Moritz Onken wrote:
> >> "attackers can use POST"
> >>
> >> This is possible due to the fact that flash movies can send any
> >> request to a server.
> >> You can achieve this even with a XMLHTTPRequest.
> >
> > If scripting is involved that makes it a XSS attack instead, though.
> > No?
> >
> > -Ashley
>
> I was wrong about the XMLHttprequest. Posting to another server is not
> possible as of the same origin policy.
> But flash movies can send post request to a different server without
> user interaction.
Actually, no. Flash can do GET to another server (hostname) but as of
flash 7 (they are at 9 now), you need a crossdomain.xml file on the
receiving end to allow POST and data loads.
>
> XSS is more like posting a javascript snippet to a facebook wall which
> does some javascript actions in the context of the user who opens that
> wall.
>
> cheers,
>
> moritz
>
> _______________________________________________
> List: Catalyst at lists.scsys.co.uk
> Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
> Searchable archive:
http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
> Dev site: http://dev.catalyst.perl.org/
More information about the Catalyst
mailing list