[Catalyst] CSRF

Moritz Onken onken at houseofdesign.de
Tue Sep 30 21:46:23 BST 2008

Am 30.09.2008 um 21:15 schrieb Wade.Stuart at fallon.com:

> Moritz Onken <onken at houseofdesign.de> wrote on 09/30/2008 01:08:38 PM:
>> Am 30.09.2008 um 19:20 schrieb Ashley:
>>> On Sep 30, 2008, at 10:08 AM, Moritz Onken wrote:
>>>> "attackers can use POST"
>>>> This is possible due to the fact that flash movies can send any
>>>> request to a server.
>>>> You can achieve this even with a XMLHTTPRequest.
>>> If scripting is involved that makes it a XSS attack instead, though.
>>> No?
>>> -Ashley
>> I was wrong about the XMLHttprequest. Posting to another server is  
>> not
>> possible as of the same origin policy.
>> But flash movies can send post request to a different server without
>> user interaction.
> Actually, no.  Flash can do GET to another server (hostname) but as of
> flash 7 (they are at 9 now),  you need a crossdomain.xml file on the
> receiving end to allow POST and data loads.

I'm sorry, didn't know about that. But it's still possible to submit a
(invisble) form with the method set to POST without any user interaction
(chapter 2.3 from the paper).


More information about the Catalyst mailing list