Can't see any images? - 
!
!  |
 |
| 05.22.08 Trusting Hacking crossdomain.xml Files  By Dan Morrill What other sites do flash and other web 2.0 components trust, by Google search or Google hacking the crossdomain xml file, you can find out some very interesting things about what sites are trusted by another site, and where API’s or other trusted widgets can come from, including advertising. The Google hack is here, crossdomain.xml site:.com or feed in extension .com, .net, .org etc of choice. This is the crossdomain.xml file from twitter as an example allow-access-from domain="*.twitter.com" allow-access-from domain="*.discoveringradiance.com" allow-access-from domain="*.umusic.com" allow-access-from domain="*.hippo.com.au" allow-access-from domain="*.ediecareplan.com" allow-access-from domain="*.yourminis.com" allow-access-from domain="*.korelab.com" What is interesting is that the crossdomain.xml file from Flickr is "*", meaning they trust all domains everywhere.
Youtubes looks like this. When a hostname is included in the circle of trust you allow them to read all data on the site that the user has access to, this includes any (authenticated) content and (session) cookies. So should a malicious attacker or website owner gain control of a website in the circle of trust (via a server hack or XSS), then they feasibly can compromise user data off that domain. This could easily leads to privacy violations, account takeovers, theft of sensitive data, and bypassing of CSRF protections (grabbing the key ahead of time). Source: Jermiah Grossman Many top domains and popular sites have some very interesting configurations in their crossdomain.xml file. With the idea of domain hijack, man in the middle, any number of other attacks, specifying which site is trusted becomes important for web security. The other interesting part is that as part of the open web, by having a full access, anyone can pull any file or user component when the crossdomain.xml file is set to everyone or "*". The good part is that some intrepid researchers worked out a way to do cross-site request forgery (CSRF) by using the ultra liberal crossdomain.xml policies of flickr or other sites. This is an interesting bit of research, and something that when you are building out your web 2.0 applications to think about, because anyone with any user level of access, using a forged post can read and potentially write any data into the system, which is a security issue. Check your crossdomain.xml files and make sure that you are only sharing with sites you truly trust, or need to trust. Comments About the Author: Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community. | ||||||||||||||||||
| | ||
 |
| -- XMLProNewsis an iEntry, Inc. publication -- iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509 2008 iEntry, Inc. All Rights Reserved Privacy Policy Legal archives | advertising info | news headlines | free newsletters | comments/feedback | submit article |
 | Unsubscribe from XMLProNews. To unsubscribe from XMLProNews or any other iEntry publication, simply send an email request to: support@ientry.com |
0 comments:
Post a Comment