Yes, Flash developers can configure how the same origin policy is applied. It does that with crossdomain.xml.
As I recall, it controls what other hosts are allowed to use flash remoting. Naturally, it can be misconfigured by developers, especially since macromedia documentation was full, at least used to be, of insecure examples. Wayne Dawson, Security Analyst - GCIH, GCFA, GCIA, GPEN, GREM Inventure Solutions Inc | A Vancity Company 4th Fl - 183 Terminal Avenue, Vancouver, Business (604) 877-6507 Fax: (604) 871-5403 ----- Original Message ----- From: Andres Riancho [mailto:[email protected]] Sent: Sunday, October 14, 2012 07:58 AM To: luke <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: [W3af-users] disscuss about inspectOriginHeaderScrutiny Luke, On Fri, Sep 28, 2012 at 5:48 AM, luke <[email protected]> wrote: > Hi guys: > I am still testing the new plugin inspectOriginHeaderScrutiny for HTML5, > for now I tested some website: > www.qq.com > www.renren.com > http://sourceforge.net > facebook.com > > these website all have CORS settings , you can see the configuration by type > domain/crossdomain.xml CORS and crossdomain.xml are not very related. CORS is an HTML5 feature and crossdomain.xml is something related with Adobe Flash. > but I i use w3af scan these site , there is no result , apparently some of > these site did not configure well ! > > -- > FIT1-213 > Department of Computer Science > Tsinghua University, Beijing, 100084 > http://about.me/anakin/bio > > ------------------------------------------------------------------------------ > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
