[Catalyst] CSRF
Moritz Onken
onken at houseofdesign.de
Tue Sep 30 21:46:23 BST 2008
Am 30.09.2008 um 21:15 schrieb Wade.Stuart at fallon.com:
>
> Moritz Onken <onken at houseofdesign.de> wrote on 09/30/2008 01:08:38 PM:
>
>>
>> Am 30.09.2008 um 19:20 schrieb Ashley:
>>
>>> On Sep 30, 2008, at 10:08 AM, Moritz Onken wrote:
>>>> "attackers can use POST"
>>>>
>>>> This is possible due to the fact that flash movies can send any
>>>> request to a server.
>>>> You can achieve this even with a XMLHTTPRequest.
>>>
>>> If scripting is involved that makes it a XSS attack instead, though.
>>> No?
>>>
>>> -Ashley
>>
>> I was wrong about the XMLHttprequest. Posting to another server is
>> not
>> possible as of the same origin policy.
>> But flash movies can send post request to a different server without
>> user interaction.
>
> Actually, no. Flash can do GET to another server (hostname) but as of
> flash 7 (they are at 9 now), you need a crossdomain.xml file on the
> receiving end to allow POST and data loads.
I'm sorry, didn't know about that. But it's still possible to submit a
(invisble) form with the method set to POST without any user interaction
(chapter 2.3 from the paper).
moritz
More information about the Catalyst
mailing list