Update 05.14.2008: Figured I'd make available the list active <http://ha.ckers.org/weird/crossdomain.html> crossdomain.xml websites I've found. Enjoy! *hat tip to RSnake <http://ha.ckers.org/> for the bandwidth*
This week I took a renewed <http://jeremiahgrossman.blogspot.com/2006/10/crossdomainxml-statistics.html > interest in crossdomain.xml <http://blogs.adobe.com/stateofsecurity/2007/07/crossdomain_policy_files_1.h tml> . For those unfamiliar this is Flash’s opt-in policy file that extends the same-origin policy to include more sites in the circle of trust. Normally client-side code (JavaScript, Flash, Java, etc.) is limited to reading data only from the website (hostname) in which it was loaded. Attempting to read data from other domains is met with security exceptions. With crossdomain.xml a site owner may configure a policy to stating which off-domain sites are allowed to read its data (or parts thereof) and the client, Flash in this case, is responsible for enforcement. This feature paves the way for more rich client-side applications. Crossdomain.xml policies are also extremely flexible allowing websites to be defined by IP, domain, subdomain, or everyone (*) under the sun. And this is one area where we potentially run into trouble. When a hostname is included in the circle of trust you allow them to read all data on the site that the user has access to, this includes any (authenticated) content and (session) cookies. So should a malicious attacker or website owner gain control of a website in the circle of trust (via a server hack or XSS), then they feasibly can compromise user data off that domain. This could easily leads to privacy violations, account takeovers, theft of sensitive data, and bypassing of CSRF protections (grabbing the key ahead of time). With this understood I was curious just how many prominent websites are actively using crossdomain.xml and generally how they are configured. For sampling I combined the “www” hostnames of fortune 500 with the Global Alexa 500. Of the 961 unique websites in all (and keeping the results to myself for now)… * 28% have a crossdomain.xml policy file of some type. * 7% have unrestricted crossdomain.xml policy files. * 11% have *.domain.com restricted crossdomain.xml policy files. I was quite surprised by the penetration, but not as much as how many possessed unrestricted policies. Meaning any website can pull any data from them that they want. It's not just so much that they allow this, many are just brochure-ware so who cares, but others we’re talking very sensitive data here. Then of course domain restricted percentages were higher still. That would mean if a user should get XSS’ed ANYWHERE on the domain (or other *’d domain), easy enough to do, an attacker could load up a flash payload on pilfer the data that way. Ouch. Another thing I noticed was a noticeable amount of intranet (development) hostnames being leaked publicly, weird. Now if I may take things just one step further because these types attacks can scale far easier and become more damaging that it might first appear. We've already seen several cases where Flash-based advertising is poisoned through an upstream CDN provider eventually leading to the exploitation of users browsers. These attacks are spotted because they take advantage of a well-known vulnerability, load malware detectable by A/V signatures, and detectably compromise a machine. But let's say they didn't do that and instead attempted something subtle. What an attacker could do is purchase some flash-based advertising delivered anywhere on a domain inside a circle of trust (*.domain.com). Instead of using traditional malware exploits they’d force an innocent looking and invisible cross-domain request on behalf of the user. This request could easily steal session cookies, read your Web email, spam email for that matter, access your social network, and the list goes on and on. Not only would this be inexpensive, but also extremely difficult to detect because everything would appear legit. As I say this, I can’t help but wonder if it hasn’t happened already and we just haven’t realized it. We’re all so used to blaming online account compromises on trojan horse, that we haven’t stopped to consider or investigate other possibilities. thanks to <http://holisticinfosec.blogspot.com/> Russ McRee for blog title and content assistance. [Ph4nt0m] <http://www.ph4nt0m.org/> [Ph4nt0m Security Team] <http://blog.ph4nt0m.org/> [EMAIL PROTECTED] Email: [EMAIL PROTECTED] PingMe: <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> === V3ry G00d, V3ry Str0ng === === Ultim4te H4cking === === XPLOITZ ! === === #_# === #If you brave,there is nothing you cannot achieve.# --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
