Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
A silly question about Crossdomain.xml
Posted by: acemutha
Date: February 03, 2009 10:44AM

Hi all, I have a question about the mechanism that rules the communication between flash player and a file crossdomain.xml.
I've read from http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf in Appendix B that if a flash on evil.com is trying to send a request to trusted.com and evil.com is not in the crossdomain.xml file, then after loading the xml file the Flash would be blocked. Now the question is...blocked by trusted.com or by the flash object itself? because if blocked by the latter then I think it's possible to use a proxy serving a fake crossdomain.xml and then redirecting the request to trusted.com.

Thanks in advance for you time.

Options: ReplyQuote
Re: A silly question about Crossdomain.xml
Posted by: trev
Date: February 03, 2009 02:39PM

It is a security mechanism implemented in the Flash plugin itself. However, I don't see how you would serve a fake crossdomain.xml other than via DNS rebinding (which doesn't get you very far). You cannot just go change the proxy settings - if you could you wouldn't need crossdomain.xml.

Options: ReplyQuote
Re: A silly question about Crossdomain.xml
Posted by: Gareth Heyes
Date: February 03, 2009 03:05PM

crossdomain.xml is useless when there is a flaw with unfiltered user input. For example lets look at the crossdomain file of the bbc.co.uk:-

http://news.bbc.co.uk/crossdomain.xml

<allow-access-from domain="downloads.bbc.co.uk"/>
<allow-access-from domain="www.bbcamerica.com"/>
<allow-access-from domain="*.bbcamerica.com"/>
<allow-access-from domain="www.bbc.co.uk"/>
<allow-access-from domain="news.bbc.co.uk"/>
<allow-access-from domain="newsimg.bbc.co.uk"/>
<allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk"/>
<allow-access-from domain="newsrss.bbc.co.uk"/>
<allow-access-from domain="newsapi.bbc.co.uk"/>
<allow-access-from domain="extdev.bbc.co.uk"/>
<allow-access-from domain="stats.bbc.co.uk"/>
<allow-access-from domain="*.bbc.co.uk"/>
<allow-access-from domain="*.bbc.com"/>
<!--allow access for BBC jam servers-->
<allow-access-from domain="jam.bbc.co.uk"/>
<allow-access-from domain="dc01.dc.bbc.co.uk"/>

All useless because the url params are unfiltered for external URLs:-
http://news.bbc.co.uk/sol/shared/spl/hi/selector/v_00010/swf/ssplayer.swf?path=http://www.businessinfo.co.uk/labs/selector/&teamid=55&pageurl=http://news.bbc.co.uk/sport1/shared/spl/hi/football/squad_selector/team_of_the_week/html/ss_team.stm&kittype=gif&

So the evil domain serves a crossdomain.xml file and we can send data to the victim

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.