Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Flash, crossdomain.xml, and pwnage
Posted by: hexfortyfive
Date: September 04, 2008 12:31PM

I was asked to look into cross domain policy stuff for Flash. It seems since Flash 9, if a SWF on DOMAIN1 tells the client to download a file from DOMAIN2, the client checks for DOMAIN2's policy file to ensure it's allowed before grabbing the file.

This is fine. But we live in the time of Web 2.0, where people want to mashup everything they can. So if DOMAIN2's policy is to allow anybody to read any file, what are the incurred risks to DOMAIN2 (or the client)?

Obviously if DOMAIN2 has a webpage weak to CSRF, an evil DOMAIN1 can have the client go to that CSRF and perform actions -- but DOMAIN1 could do this with an iframe or an img tag.

XSS? if there is a non-persistent XSS weakness on DOMAIN2, and DOMAIN1 tells the client to read an evil URL with XSS in it, is the client going to execute the javascript? My gut says no, but I don't know enough about flash.

Anything else anyone can think of? Most of the Flash topics on the forum are old and I didn't see cross-domain policies discussed anywhere outside webdev forums that say "yeah just open it right up folks".

Options: ReplyQuote
Re: Flash, crossdomain.xml, and pwnage
Posted by: kuza55
Date: September 07, 2008 04:36AM

Umm, if you allow read access, you allow an attacker to read all the content in the crossdomain.xml's directory and below, so an attacker sees everything the user sees and can bypass CSRF checks since it can get all the nonces.

If you absolutely must allow access to something, either put it all on a subdomain and enable access for that domain, or put it all in a directory (but not on IIS until the next Flash patch, I'm not going to say why, just trust me) and put the crossdomain.xml file in that directory. And make sure there's absolutely nothing private in those directories.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: Flash, crossdomain.xml, and pwnage
Posted by: Perow
Date: May 19, 2009 03:41PM

This is indeed very powerful, while not many people know about this. A flash script hosted on DOMAIN41 allows you to send requests to DOMAIN2 and will handle the request using the browser cookies of DOMAIN2.

While generally very similar to a simple CSRF, this method will be able to fetch a response from the request, allowing you to view the source of the requested page as if you were using the cookies on the victim's browser.

Options: ReplyQuote


Sorry, only registered users may post in this forum.