Any one knows how I could setup a flash file and a redirect to bypass a simple csrf protection? (There is no csrf token, only a header stopping me from completing this CSRF : X-Requested-With: XMLHttpRequest)
I know this can be done on Safari, but there is no tutorial documenting how to do so =(
It is exactly the same scenario as this report:
Would really appreciate if someone could point me towards the right direction.
I had a case where I could get hold of the xsrf token value but I needed it to be sent as a http header in order to make use of it. Let me know if you gain some more insights to this.
It’s explained in the link you posted how it’s performed. Watching the vimeo video also explains it a bit. However I think it’s fixed now so it won’t work any longer.
See (applies to Chrome+Flash, other browsers still vulnerable?)
https://hackerone.com/reports/42240
What sucks is this only works on older browsers, any other way?