So I finally broke down and bought Flash 8.0, and I noticed that a number of issues that had previously allowed for header spoofing are now fixed. Namely, if you have a header that already exists (like Host: or Referer: you can no longer overwrite it). That has huge impacts for referer spoofing as well as for anti-DNS pinning attacks.

You can still write headers that don’t exist, force POST requests, and other fun stuff (I’m still in the early stages of looking at the binary socket support). But I think the folks at Adobe probably saw how big an issue their software was creating and they reacted by closing down several of the issues. I’m not sure if there is logic about when you can and can’t overwrite the fields, but so far I haven’t had any luck in overwriting anything that exists. Adobe made a smart move by keeping these fields off limits.

This entry was posted on Saturday, February 3rd, 2007 at 5:33 pm and is filed under General News, Webappsec. You can leave a response as well.