Poking new holes with Flash Crossdomain Policy - Best Security Tips offers daily news, information, advices and tips about spyware, adware, viruses, trojans, web vulnerabilities, hackers, other threats    | Register now | Login
   
TIPS NEWS TOOLS DOWNLOADS MALWARE FORUM BOOKS FREE MAGAZINES FREE WEBCASTS & VIDEOS
GFI LANguard Network Security Scanner - Dld 30-day trial! del.icio.us  digg  Furl  NewsVine  Spurl  Blinklist  Ma.gnolia  Reddit  Tailrank  YahooMyWeb 
Best Tips
Web Application Firewall...
How to Handle Email Atta...
Users (Phishing/Spear Ph...
Beware of Instant Messag...
What is Spyware
A New Malware Defense: E...
Windows Libraries Attack...
Top 10 Most Downloaded P...
See how GFI LANguard N.S...
What does anti-virus sof...
Security Scanner
Security Categories
 1. Adware/Spyware
 2. Antivirus
 3. Firewall
 4. Phishing
 5. Linux Security
 6. Windows Security
 7. Security Incidents
 8. Web Security
 9. P2P Security
Advertise With Us!
Latest Viruses / Threats
Bugtraq: Re: [Exploit] Invision Power Board <= 2.3.5 Multiple Vulnerabilities
2008/8/29 20:49:42
Mal/DownLdr-AC
2008/8/29 15:58:44
Mal/Envid-A
2008/8/29 15:58:44
Troj/Iframe-AR
2008/8/29 15:58:44
Troj/MalDoc-D
2008/8/29 15:58:44
Downloads
 0.Fx MPEG Suite
 1.Daniusoft Video to MP4 Converter
 2.iProtectYou
 3.Deep Ball Defender
 4.Amazing Parrots Screensaver
 5.FlashCam Rebroadcasting server
 6.MysqlDataBackupTool
 7.Photo-Paint 9 script converter
 8.Fast PDF converter
 9.Apex iPod Video Converter Home Edition
Security News
New Facebook Privacy...
New! Spyware Detecti...
Zonealarm Anti-Spywa...
Halloween Horror Spe...
RHEL5 Wins Governmen...
Microsoft Vista brin...
Why you shouldn’t ad...
3 Malware Bittorrent...
Priceline, Traveloci...
New Avira UnErase Pe...
RSS / Atom Feeds
Web Application Security: Poking new holes with Flash Crossdomain Policy  
Author: Max : 2006/11/19 Printer Friendly Page Tell a Friend
Poking new holes with Flash Crossdomain Policy 
With the help of the Flash player plugin it is possible for websites to perform cross domain GET and POST requests with simple JavaScript calls. For web developers this gives a whole lot of new possibilities, but from a security point of view it is a very questionable feature.

However it seems Adobe (or former Macromedia) was aware of the danger that arises from supporting cross domain requests, because the Flash player will only allow cross domain requests if a policy file is available on the target domain that allows access from other domains. By default this file is located in the document root directory and is called crossdomain.xml.


NOTE: People seem to misunderstand, that the danger of cross domain requests with flash does not lie in the fact that requests to other sites can be made (this is already possible with normal JavaScript), but in the fact that these requests can be made with modified HTTP headers and that it is also possible to read the response. This defeats all possible protections against Cross Site Request Forgeries.

Read more of this article here .
 

Return to Category | Return To Main Index
Identity Theft Protection Services :
LifeLock Identity Theft Prevention Solution
Veracity Credit Optimization Services
Equifax Credit Watch
 Free Credit Report
Identity Truth
Privacy Matters 123



 

HOME | NEWS | SECURITY BLOG | TOOLS | DOWNLOADS | SECURITY BOOKS | TIPS | SITEMAP | TERMS AND CONDITIONS | INTERNET SECURITY SEARCH ENGINE | ADVERTISE ON THIS SITE | CONTACT
Nov '07 | Dec '07 | Jan '08 | Feb '08 | Mar '08 | Apr '08 | May '08 | Jun '08 
Best Security Downloads offers 4000+ free and free to try security downloads