Am 30.09.2008 um 21:15 schrieb [EMAIL PROTECTED]:
Moritz Onken <[EMAIL PROTECTED]> wrote on 09/30/2008 01:08:38 PM:
Am 30.09.2008 um 19:20 schrieb Ashley:
On Sep 30, 2008, at 10:08 AM, Moritz Onken wrote:
"attackers can use POST"
This is possible due to the fact that flash movies can send any
request to a server.
You can achieve this even with a XMLHTTPRequest.
If scripting is involved that makes it a XSS attack instead, though.
No?
-Ashley
I was wrong about the XMLHttprequest. Posting to another server is
not
possible as of the same origin policy.
But flash movies can send post request to a different server without
user interaction.
Actually, no. Flash can do GET to another server (hostname) but as of
flash 7 (they are at 9 now), you need a crossdomain.xml file on the
receiving end to allow POST and data loads.
I'm sorry, didn't know about that. But it's still possible to submit a
(invisble) form with the method set to POST without any user interaction
(chapter 2.3 from the paper).
moritz
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
