Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

CSRF: Flash + 307 redirect = Game Over. Here’s the exploit that Django and Rails both just released fixes for. It’s actually a flaw in the Flash player. Flash isn’t meant to be able to make cross-domain HTTP requests with custom HTTP headers unless the crossdomain.xml file on the other domain allows them to, but it turns out a 307 redirect (like a 302, but allows POST data to be forwarded) confuses the Flash player in to not checking the crossdomain.xml on the host it is being redirect to.

Posted 10th February 2011 at 10:07 pm

Tagged , , , , ,

19 comments

  1. For the record, this isn't stricly speaking a flash player vulnerability.

    The redirection and cookie-inclusion is done entirely by the browser, at that stage flash has already handed back control. That's part of what made this so insidious, flash wasn't violating the cross domain policy, and the browser was doing the 'right' thing by following the redirect as the spec requires.

    However the combination of those two pieces could add up to a painful defect.

    Michael Koziarski - 11th February 2011 06:12 - #

  2. I should also add, wtf do I know about browser implementations, I could be wrong but that was my understanding from the C++ digging I did in the mozilla code (the only browser which warned on the 307).

    Michael Koziarski - 11th February 2011 06:26 - #

  3. Agree on Michael Koziarski's coments.

    NPAPI doesn't provide detail control means.

    annoymous - 25th February 2011 10:52 - #

  4. kXFTNC http://dY6MEZysfyBTb2Ku.com

    marmont - 10th September 2011 07:08 - #

  5. NPSUQ9 http://tvUNnkn3VziDHe1h.net

    joseph - 10th September 2011 15:29 - #

  6. SQOlpg http://qsv8wdjgN8ZnUukY.biz

    crysty - 10th September 2011 23:53 - #

  7. 4DKnLp http://aBadumIgJOKNM8G3.com

    trinity - 11th September 2011 08:19 - #

  8. Thank you very much for flash 307 redirect ip camera

    seo - 2nd October 2011 11:45 - #

  9. The both of us really enjoyed your article. It appears like you've put a lot of effort into your article and the human race need much more of these on the Net these days. I do not real have a large deal to say in retort I just wanted to comment to tell well done. marvelous post. i never thought of that. Whistler accommodations

    Daniel Davis - 25th October 2011 18:37 - #

  10. I admire the valuable information you offer in your articles. I will bookmark your blog and have my children check up here often. I am quite sure they will learn lots of new stuff here than anybody else! currency converter

    flapwer - 27th October 2011 14:11 - #

  11. Various people in every country receive the loans from different creditors, just because that's easy and fast.

    business loans - 29th October 2011 03:22 - #

  12. I have to say this post was certainly informative and contains useful content for enthusiastic visitors. I will definitely bookmark this blog for future reference and further viewing. Thanks a bunch for sharing this with us! XBox 360 repair

    Gary Gogo - 30th October 2011 04:44 - #

  13. Post is nicely written and it contains many good things for me. I am glad to find your impressive way of writing the post. Now it become easy for me to understand and implement the concept. Thanks for sharing the post. San Jose Animal Clinic

    Groundless - 1st November 2011 05:52 - #

  14. Please support enhance this post by adding citations to reliable sources Unsourced material may well be challenged Barber Dresden

    Gary Gogo - 3rd November 2011 00:16 - #

  15. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Work From Home UK

    Firsttell0 - 4th November 2011 17:56 - #

  16. HWZOU44G01YFMKPWT
    only made with australian twin-face sheepskin are authentic ugg boots

    cheap uggs - 5th November 2011 07:39 - #

  17. There is definitely a big demand in this area. I think people really need to take advantage of this. DO not pass this up. Cheap Wedding Dresses

    CoHop12 - 5th November 2011 16:59 - #

  18. While I was working on my PC the other day my Flash crashed and I have lost the excel worksheet. I have heard of excel recovery which one is the best? I understand that Flash becomes not to respond when it confuses with HHTP headers.

    Jacob - 7th November 2011 19:04 - #

  19. I love your blog, you should add an RSS feed feature so I can get automatic notifications of new blogs. If you set one up please email me! i will bookmark you for now. Again Excellent Blog!

    Houston Home Security - 8th November 2011 15:12 - #

Comments are closed.
A django site