Insecure RIA cross domain policy

Rich Internet Applications use Adobe’s crossdomain.xml policy files to allow cross-domain access to data. These policy files serve the usage via Oracle Java, Adobe Flash and so on. For using these policy files, the domain must grant remote access to other domains. These policy files can describe access restrictions if these restrictions are poorly configured, the server will be vulnerable to attacks like Cross-site request forgery attacks and might allow 3rd party domains to access sensitive information.

A cross-domain policy file specifies the permissions for web clients (like Adobe Flash, Adobe Reader, Java and many more) to access different domains. Microsoft’s Silverlight has a file named clientaccesspolicy.xml to replace Adobe’s crossdomain.xml.

There are mainly three methods to exploit this vulnerability:-

• The cross-domain policies are overly permissive.
• By generating responses from servers in such a way that, the host server will consider attacking server as a cross-domain policy file.
• By uploading malicious files that mimic itself as a cross-domain policy file.

Example

The following code is the example of a vulnerable cross-domain policy.

      <cross-domain-policy>
         <site-control permitted-cross-domain-policies="all"/>
         <allow-access-from domain="*" secure="false"/>
         <allow-http-request-headers-from domain="*" headers="*" secure="false"/>
      </cross-domain-policy>

   

Impact

Using this vulnerability, an attacker can:-

• perform Cross-Site Request Forgery (CSRF) attacks
• read files that are protected using the cross-domain policy.

Mitigation / Precaution

Beagle recommends the following fixes:-

• Try to properly implement the cross-domain-policy.

      <cross-domain-policy>
      <allow-access-from domain="example.beaglesecurity.com" />
      </cross-domain-policy>