Trusting Hacking crossdomain.xml Files

Thursday, May 22, 2008 by Mistlee

Can't see any images? - !

Visit The XML Pro News Directory
Templates, Tag Reference
Articles, Books
XML Articles
Blogs, Recent News
XML Consultants
Consulting Networks, Training
XML Editors
XML Text Editors, XML WYSIWYG Editors
XML Encoding
Tags, Rules
XML Layouts
Code Layout, Page Layout
XML Programming
Methods, Applications

Submit your site for FREE

Recent Articles

XmlException: Data At The Root Level Is Invalid
A few days ago I needed to write some functionality to fetch an XML document from a URL and load it into an XmlDocument. As always I use the WebClient to retrieve simple documents over HTTP and it looked like this. I ran the function and got this very informative XmlException...

XML Sitemap Ping Tool
All the major search engines (Google, Yahoo!, MSN/Live, and Ask) use the XML Sitemaps protocol for getting URLs from websites. Of course they all still use good old-fashioned crawling, but the XML sitemap can be...

XML-RPC ping endpoint in C# and ASP.NET
All blog platforms send out pings using the XML-RPC protocol whenever a new post is created or an old one is updated. It is very simple to send out XML-RPC pings using C#, because it is just a normal HTTP request...

A New Way to Organize Your Feeds
When you come across something interesting on the web, but don't have time to read it at that moment, what do you do?The old way is to add the web page to your browser's bookmarks or favourites so you can retrieve...

Google Sitemaps and Competitive Intelligence
I'm a big fan of the Google Webmaster Central Program and using sitemaps. I agree that you should build your website so that it is crawlable and not rely on sitemaps to compensate for poor site architecture, but hands down...


Trusting Hacking crossdomain.xml Files

By Dan Morrill

What other sites do flash and other web 2.0 components trust, by Google search or Google hacking the crossdomain xml file, you can find out some very interesting things about what sites are trusted by another site, and where API’s or other trusted widgets can come from, including advertising.

The Google hack is here, crossdomain.xml or feed in extension .com, .net, .org etc of choice.

This is the crossdomain.xml file from twitter as an example

allow-access-from domain="*"
allow-access-from domain="*"
allow-access-from domain="*"
allow-access-from domain="*"
allow-access-from domain="*"
allow-access-from domain="*"
allow-access-from domain="*"

What is interesting is that the crossdomain.xml file from Flickr is "*", meaning they trust all domains everywhere.

Get Listed on Google, Yahoo, and Other
Search Engines in 48 Hours Guaranteed

Youtubes looks like this.

When a hostname is included in the circle of trust you allow them to read all data on the site that the user has access to, this includes any (authenticated) content and (session) cookies. So should a malicious attacker or website owner gain control of a website in the circle of trust (via a server hack or XSS), then they feasibly can compromise user data off that domain. This could easily leads to privacy violations, account takeovers, theft of sensitive data, and bypassing of CSRF protections (grabbing the key ahead of time).
Source: Jermiah Grossman

Many top domains and popular sites have some very interesting configurations in their crossdomain.xml file. With the idea of domain hijack, man in the middle, any number of other attacks, specifying which site is trusted becomes important for web security. The other interesting part is that as part of the open web, by having a full access, anyone can pull any file or user component when the crossdomain.xml file is set to everyone or "*".

The good part is that some intrepid researchers worked out a way to do cross-site request forgery (CSRF) by using the ultra liberal crossdomain.xml policies of flickr or other sites. This is an interesting bit of research, and something that when you are building out your web 2.0 applications to think about, because anyone with any user level of access, using a forged post can read and potentially write any data into the system, which is a security issue. Check your crossdomain.xml files and make sure that you are only sharing with sites you truly trust, or need to trust.


About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.
About xmlProNews

xmlProNews is a collection of news and commentary designed to keep you in step with the ever evolving landscape of XML environments. News and Advice for XML Professionals

xmlProNews is brought to you by:

-- XMLProNewsis an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2008 iEntry, Inc.  All Rights Reserved   Privacy Policy   Legal

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article

Unsubscribe from XMLProNews.
To unsubscribe from XMLProNews or any other iEntry publication, simply send an email request to: