Add category for Flash-based CSRF

[hakluke]

We have multiple XSS categories including a P4 flash-based XSS category, but we have not done the same with CSRF.

I recommend a P4 flash-based CSRF category for the old 307 redirect trick.

https://blog.appsecco.com/exploiting-csrf-on-json-endpoints-with-flash-and-redirects-681d4ad6b31b

[plr0man]

As we know Flash is dying and we made some adjustments to reflect that in 2018. There's some good discussion in #120. Looks like it's time again to take further steps, and we may continue to lower the baselines in the future. The general consensus when we discussed this was that CSRF issues which would be rated at P3 or higher without the need for Flash, should be rated at P4 if Flash was required. Any CSRF issues that would normally be rated lower than P3, should be rated at P5 if Flash is required.
With that said here are the proposed entries:
P4 – Cross-Site Request Forgery (CSRF) > Flash-Based > High Impact
P5 – Cross-Site Request Forgery (CSRF) > Flash-Based > Low Impact

[hakluke]

Looks good to me. Just to be crystal clear - to be rated P4, the PoC would need to perform a sensitive action. To be considered a sensitive action, it would need to result in an account takeover, exfiltration of PII, or something of that ilk.