Hello,
An overly permissive crossdomain.xml file on a domain that serves sensitive content is a major security risk. It exposes the domain hosting the improperly configured crossomain.xml file to information disclosure and request forgery. Attackers cannot only forge requests, they can read responses. This means the attacker can retrieve any information the authenticated user has access to, including account information, documents and files, and anti-CSRF tokens if they are used.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>2 <site-control permitted-cross-domain-policies="by-content-type"/>3 <allow-access-from domain="*" secure="false"/>4 <allow-http-request-headers-from domain="*" headers="*"/>5</cross-domain-policy>6=================================================================================
However, if there are sensitive actions that can be performed or information that can be stolen, and www.secret-site.com has an overly permissive crossdomain.xml file, the application at www.secret-site.com is essentially opening the door to any malicious SWF loaded from anywhere on the web. For example, a SWF loaded from www.malicious-site.com is now able to override/bypass Same Origin Policy and gain access to everything that the authorized user of www.secret-site.com has access to. To say this in a different way, the overly permissive crossdomain.xml file allows Flash to do things that even JavaScript is not allowed to do, mainly accessing cross domain resources.
Note: The most permissive configuration option is the following line: <allow-access-from domain="*">. That is not the only overly permissive setting. Check out the reference papers listed above to find more.
Note: API sites that require a pre-shared key are an exception to the conditions listed above. In this case, even when all three conditions are met, if www.secret-site.com requires an API key or something similar to access the content, there is no risk. The attacker has no way of knowing the pre-shared secret API key, and therefore they can not forge a request with all of the required information to exploit the permissive crossdomain.xml.
Note: In my examples, I use www as the hostname (www.secret-site.com). The security implications of the crossdomain.xml are specific to the fully qualified domain name, including hostname and/or subdomain if they are present. For example, if the https://www.secret-site.com/crossdomain.xml contains <allow-access-from domain="*">, but all of the sensitive transactions happen on https://secure.secret-site.com, there is no risk. Of course, if https://secure.secret-site.com/crossdomain.xml exists and it also has an overly permissive policy, then we are back in business.
I have also been able to find many of these vulnerabilities with this tool and you can benefit too.
Tool link : https://github.com/codeb0ss/cross-d...w/main/cross-domain policy file exploiter.rar
Enjoy;
An overly permissive crossdomain.xml file on a domain that serves sensitive content is a major security risk. It exposes the domain hosting the improperly configured crossomain.xml file to information disclosure and request forgery. Attackers cannot only forge requests, they can read responses. This means the attacker can retrieve any information the authenticated user has access to, including account information, documents and files, and anti-CSRF tokens if they are used.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>2 <site-control permitted-cross-domain-policies="by-content-type"/>3 <allow-access-from domain="*" secure="false"/>4 <allow-http-request-headers-from domain="*" headers="*"/>5</cross-domain-policy>6=================================================================================
The Vulnerability
As a general rule, if the following three conditions are met, there is problem:- A crossdomain.xml file is hosted at the root of the host, for example: www.secret-site.com/crossdomain.xml.
- The crossdomain.xml is overly permissive.
- There is either sensitive information on www.secret-site.com or there are sensitive actions that can be performed on www.secret-site.com.
However, if there are sensitive actions that can be performed or information that can be stolen, and www.secret-site.com has an overly permissive crossdomain.xml file, the application at www.secret-site.com is essentially opening the door to any malicious SWF loaded from anywhere on the web. For example, a SWF loaded from www.malicious-site.com is now able to override/bypass Same Origin Policy and gain access to everything that the authorized user of www.secret-site.com has access to. To say this in a different way, the overly permissive crossdomain.xml file allows Flash to do things that even JavaScript is not allowed to do, mainly accessing cross domain resources.
Note: The most permissive configuration option is the following line: <allow-access-from domain="*">. That is not the only overly permissive setting. Check out the reference papers listed above to find more.
Note: API sites that require a pre-shared key are an exception to the conditions listed above. In this case, even when all three conditions are met, if www.secret-site.com requires an API key or something similar to access the content, there is no risk. The attacker has no way of knowing the pre-shared secret API key, and therefore they can not forge a request with all of the required information to exploit the permissive crossdomain.xml.
Note: In my examples, I use www as the hostname (www.secret-site.com). The security implications of the crossdomain.xml are specific to the fully qualified domain name, including hostname and/or subdomain if they are present. For example, if the https://www.secret-site.com/crossdomain.xml contains <allow-access-from domain="*">, but all of the sensitive transactions happen on https://secure.secret-site.com, there is no risk. Of course, if https://secure.secret-site.com/crossdomain.xml exists and it also has an overly permissive policy, then we are back in business.
I have also been able to find many of these vulnerabilities with this tool and you can benefit too.
Tool link : https://github.com/codeb0ss/cross-d...w/main/cross-domain policy file exploiter.rar
Enjoy;