Not sure. W3af hasn't tested flash vulnerabilities as far as I know, but if I
found a crossdomain.xml file, I'd certainly look at it manually.
Obviously, flash can bypass the browser's built-in same-origin policy. (So can
silverlight and JavaFx).
You probably should be wary about one which has a line with <allow-access-from
domain="*" />, if not all data on the site is supposed to be publically
available. Say, for example, the site develper is supposed to be protecting
access to some content through cookie authentication (or http basic auth).
Malicious code on a 3rd-party site can access the data, if they can get the
bowser user to open a link that requests it.
Flash developers, when they have problems, often "troubleshoot" by setting
domain="*", and if it works, they just leave it. Shouldn't do this on a site
that uses cookies/basic auth (or an intranet site).
The safe way of using it in flash 9 and 10, is detailed at
www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html.
Wayne Dawson, Security Analyst - GCIH, GCFA, GCIA, GPEN, GREM
Inventure Solutions Inc | A Vancity Company
4th Fl - 183 Terminal Avenue, Vancouver,
Business (604) 877-6507 Fax: (604) 871-5403
From: luke [mailto:[email protected]]
Sent: Sunday, October 14, 2012 06:19 PM
To: Wayne Dawson
Cc: [email protected] <[email protected]>;
[email protected] <[email protected]>
Subject: Re: [W3af-users] disscuss about inspectOriginHeaderScrutiny
so, for this module ,it should check the crossdomain.xml policy, because, as
far as I know,few website support CORS nowadays.
On Mon, Oct 15, 2012 at 5:26 AM, Wayne Dawson
<[email protected]<mailto:[email protected]>>
wrote:
Yes, Flash developers can configure how the same origin policy is applied. It
does that with crossdomain.xml.
As I recall, it controls what other hosts are allowed to use flash remoting.
Naturally, it can be misconfigured by developers, especially since macromedia
documentation was full, at least used to be, of insecure examples.
Wayne Dawson, Security Analyst - GCIH, GCFA, GCIA, GPEN, GREM
Inventure Solutions Inc | A Vancity Company
4th Fl - 183 Terminal Avenue, Vancouver,
Business (604) 877-6507<tel:%28604%29%20877-6507> Fax: (604)
871-5403<tel:%28604%29%20871-5403>
----- Original Message -----
From: Andres Riancho
[mailto:[email protected]<mailto:[email protected]>]
Sent: Sunday, October 14, 2012 07:58 AM
To: luke <[email protected]<mailto:[email protected]>>
Cc: [email protected]<mailto:[email protected]>
<[email protected]<mailto:[email protected]>>
Subject: Re: [W3af-users] disscuss about inspectOriginHeaderScrutiny
Luke,
On Fri, Sep 28, 2012 at 5:48 AM, luke
<[email protected]<mailto:[email protected]>> wrote:
> Hi guys:
> I am still testing the new plugin inspectOriginHeaderScrutiny for HTML5,
> for now I tested some website:
> www.qq.com<http://www.qq.com>
> www.renren.com<http://www.renren.com>
> http://sourceforge.net
> facebook.com<http://facebook.com>
>
> these website all have CORS settings , you can see the configuration by type
> domain/crossdomain.xml
CORS and crossdomain.xml are not very related. CORS is an HTML5
feature and crossdomain.xml is something related with Adobe Flash.
> but I i use w3af scan these site , there is no result , apparently some of
> these site did not configure well !
>
> --
> FIT1-213
> Department of Computer Science
> Tsinghua University, Beijing, 100084
> http://about.me/anakin/bio
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> W3af-users mailing list
> [email protected]<mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
W3af-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/w3af-users
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
W3af-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/w3af-users
--
FIT1-213
Department of Computer Science
Tsinghua University, Beijing, 100084
http://about.me/anakin/bio
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
