Learn the basic concept of Cross-Domain Policy

1. Cross Domain Policy
Durvijay Jaiswar
05/05/2020

2. Security Analyst at Net-Square
Twitter: @DurvijayJ
LinkedIn: @durvijay-j9
About Me

3. Objectives
● What is Cross-Domain Policy.
● What is crossdomain.xml file.
● Where is the vulnerability.
● Exploitation examples.
● Remediation.

4. What is Cross-domain policy
● Cross-domain policy is a mechanism for data exchange between different
domain.
● Data interchange is handled through web client such as Adobe flash player.
● Application should have crossdomain.xml file in its web root directory.

5. 1. User visits a.com.
2. Flash file from a.com contacts
b.com and checks for
crossdomain.xml file.
3. If file is found, client reads its
permission.
4. If permission allow access then
information from b.com is read.
5. Client transfers the information
from b.com to a.com
Architectural scenario

6. What is crossdomain.xml file
Crossdomain.xml is configuration file which contains the name of domain to
which access is allowed.

7. ● “*” wildcard character is vulnerability here.
● It allows access to all domain for information exchange.
Where is the vulnerability

8. Example 1

9. Application contains the misconfigured
crossdomain.xml file

10. Gather account balance from victim account

11. Create actionscript to gather account balance
summary.php is banks page
which contains account
information.
save_response.php is
responsible for collecting and
saving the response in attacker
server.

12. Compile the script and host it on attacker
server

13. Script for capturing and saving the response

14. Attack stage
Let user login into its
account.
Trick the user to
request flash file in
another tab.

15. Notice the sequence of request executed

16. Check for saved response in attacker server

17. Example 2

18. Make a fund transfer from victim account

19. Create actionscript to make fund transfer
POST request is required
for making fund transfer of
10 Rs.
Compile and host the flash
file in attacker server.

20. Let user login into its account

21. Trick the user to load flash file in another tab

22. Check for saved response in attacker server

23. Remediation
● Remediation to this vulnerability is to hardcode the domain name instead of
“*” in crossdomain.xml file.
● To allow multiple domain add multiple <allow-access-from-domain> element
followed by domain name in crossdomain.xml file.
● Implement a cross site request forgery prevention mechanism.

24. ● http://gursevkalra.blogspot.com/2013/08
/bypassing-same-origin-policy-with-flash
.html
● https://www.adobe.com/devnet/adobe-m
edia-server/articles/cross-domain-xml-fo
r-streaming.html
● https://www.adobe.com/devnet-docs/acr
obatetk/tools/AppSec/xdomain.html
● https://www.adobe.com/devnet/flashplay
er/articles/cross_domain_policy.html
References

25. Questions?

26. Thank You!