Test RIA cross domain policy (OTG-CONFIG-008)

Revision as of 12:05, 19 February 2013 by Eduardo Castellanos (Talk | contribs)

Jump to: navigation, search
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project

Brief Summary

Rich Internet Applications (RIA) have adopted Adobe's crossdomain.xml policy files in order to allow for controlled cross domain access to data and service consumption using technologies such as Oracle Java, Silverlight, and Adobe Flash. Therefore, a domain can grant remote access to its services from a different domain. However, often the policy files that describe the access restrictions are poorly configured. Poor configuration of the policy files enables Cross-site Request Forgery attacks, and may allow third parties to access sensitive data meant for the user.

Description of the Issue

What are crossdomain.xml policy files

A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader, etc. to access data across different domains. For Silverlight, Microsoft adopted a subset of the Adobe's crossdomain.xml, and additionally created it's own clientaccesspolicy.xml.

Whenever a web client detects that a resource has to be requested from other domain, it will first look for a policy file in the target domain in order to determine if performing cross-domain requests, including headers, and socket-based connections are allowed.

Master policy files are located at the domain's root. The file name should always be crossdomain.xml. (ex. http://www.owasp.com/crossdomain.xml). A client may be instructed to load a different policy file, however, it will always check the master policy file first to ensure that the master policy file permits the requested policy file.

Policy files grant several types of permissions:

  • Accepted policy files (Meta vs. master policies)
  • Sockets permissions
  • Header permissions
  • HTTP/HTTPS access permissions
  • Allowing access based on cryptographic credentials

An example of an overly permissive policy file:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="*" secure="false"/>
   <allow-http-request-headers-from domain="*" headers="*" secure="false"/>

How can crossdomain.xml poilicy files be abused

Impact of abusing crossdomain.xml policy files

Black Box testing and example

Testing for RIA policy files weakness:
Result Expected:




  • Nikto