Adobe Flash: Cross-domain policy
The next few posts will be Adobe Flash’s cross-domain behavior. This post will focus on the policy file (crossdomain.xml).
Adobe Flash has the ability to read data cross-domain. A cross-domain read can be accomplished by leveraging ActionScript’s sendAndLoad method (http://www.adobe.com/support/flash/action_scripts/actionscript_dictionary/actionscript_dictionary435.html). Obviously, arbitrary cross-domain read would be bad/fun (depending on your point of view). In any case, this would not be good for security. Crossdomain.xml determines if a cross-domain read is allowed in Flash. If the file does not exist, the read is prohibited.
When a Flash movie attempts to make a cross-domain read, Flash makes a request for /crossdomain.xml on the target of the cross-domain read. For example, if an attempt to read http://www.adobe.com/ cross-domain is attempted, Flash will first request http://www.adobe.com/crossdomain.xml.
More information on crossdomain.xml is available here - http://livedocs.adobe.com/flash/9.0/main/00001085.html. Basically, the file can allow specific domains to access content cross-domain. Wildcards are allowed. Allowing arbitrary domains cross-domain access is possible.
When pen-testing a web site, it is helpful to check if crossdomain.xml allows access from a domain where you can author content. I found an example of what appears to be a website compromise that included writing crossdomain.xml. http://gestionaconleaseplan.com/crossdomain.xml appears to have been written by a Turkish hacking group. However, the contents aren’t malicious. The file contains a few HTML tags to format a hacker group’s name and is not a correctly formatted XML file.
The best way to determine if a domain’s contents can be read through Flash is to examine crossdomain.xml. Demos are always nice so I’ve written a small tool to demonstrate if cross-domain read access is allowed for the domain specified. You can try it out here - http://www.securitybughunter.com/tools/crossdomainxml.
More fun with Flash and cross-domain shortly.
The next few posts will be Adobe Flash’s cross-domain behavior. This post will focus on the policy file (crossdomain.xml).
Adobe Flash has the ability to read data cross-domain. A cross-domain read can be accomplished by leveraging ActionScript’s sendAndLoad method (http://www.adobe.com/support/flash/action_scripts/actionscript_dictionary/actionscript_dictionary435.html). Obviously, arbitrary cross-domain read would be bad/fun (depending on your point of view). In any case, this would not be good for security. Crossdomain.xml determines if a cross-domain read is allowed in Flash. If the file does not exist, the read is prohibited.
When a Flash movie attempts to make a cross-domain read, Flash makes a request for /crossdomain.xml on the target of the cross-domain read. For example, if an attempt to read http://www.adobe.com/ cross-domain is attempted, Flash will first request http://www.adobe.com/crossdomain.xml.
More information on crossdomain.xml is available here - http://livedocs.adobe.com/flash/9.0/main/00001085.html. Basically, the file can allow specific domains to access content cross-domain. Wildcards are allowed. Allowing arbitrary domains cross-domain access is possible.
When pen-testing a web site, it is helpful to check if crossdomain.xml allows access from a domain where you can author content. I found an example of what appears to be a website compromise that included writing crossdomain.xml. http://gestionaconleaseplan.com/crossdomain.xml appears to have been written by a Turkish hacking group. However, the contents aren’t malicious. The file contains a few HTML tags to format a hacker group’s name and is not a correctly formatted XML file.
The best way to determine if a domain’s contents can be read through Flash is to examine crossdomain.xml. Demos are always nice so I’ve written a small tool to demonstrate if cross-domain read access is allowed for the domain specified. You can try it out here - http://www.securitybughunter.com/tools/crossdomainxml.
More fun with Flash and cross-domain shortly.
Labels: cross-domain, crossdomain.xml, Flash, tool