Did not work on IE11 or Firefox on Windows 10

[rbeede]

IE11 has flash enabled by default, but when the 307 was received the POST request left out the Content-Type header which caused the remote API endpoint to reject the request.

11.706.17134.0 version. Latest flash installed.

Which OS and browsers should this work on?

[rbeede]

Firefox 66.0.4 with latest Adobe Flash player installed (and enabled) results in the 307, but the resulting request after the redirect is not a POST but instead a GET.

[rbeede]

Can confirm that this works on Windows 10 with Google Chrome Version 74.0.3729.131 (Official Build) (64-bit)

However, the victim has to still do the Click to run on the flash player content before it will execute.