Poking new holes with Flash Crossdomain Policy - Best Security Tips offers daily news, information, advices and tips about spyware, adware, viruses, trojans, web vulnerabilities, hackers, other threats    | Register now | Login
   
TIPS NEWS TOOLS DOWNLOADS MALWARE FORUM BOOKS FREE MAGAZINES FREE WEBCASTS & VIDEOS
Internet security & monitoring for networks - Dld trial!   Get A Free iPod   Bookmark and Share 
Best Tips
5 Security Threats You M...
MyIDScore.com - Free Ide...
How to Use Instant Messa...
OWASP PHP Top 5
10 Email Fight Club rule...
How to Prevent Identity ...
Restore after Viruses, W...
Free Desktop Security T...
Mac OS Attacks
PHPSecInfo
Security Scanner
Security Categories
 1. Adware/Spyware
 2. Antivirus
 3. Firewall
 4. Phishing
 5. Linux Security
 6. Windows Security
 7. Security Incidents
 8. Web Security
 9. P2P Security
Advertise With Us!
Latest Viruses / Threats
Vuln: 'com_abbrev' Joomla! Component 'controller' Parameter Local File Include Vulnerability
2010/12/31 0:00:00
Vuln: Joomla! 'com_countries' Component 'locat' Parameter SQL Injection Vulnerability
2010/12/31 0:00:00
Vuln: Discuz! 'referer' Parameter Cross Site Scripting Vulnerability
2010/12/31 0:00:00
Vuln: Kayako eSupport 's_query' Parameter HTML Injection Vulnerability
2010/12/31 0:00:00
Troj/PWS-BGW
2010/2/8 23:21:56
Our Partners
Downloads
 0.Google Sitemap Maker (Master Resale Rig...
 1.SEO Godfather
 2.AimOne Video Converter
 3.RSS Channel Writer
 4.JavaScript Drop Down Menu Creator
 5.PROcessu SeaBattle PPC
 6.Notes Organizer Deluxe
 7.NoClone Upgrade to Enterprise v4
 8.Aplus DVD to Pocket PC Ripper
 9.Intertech DVD Ripper
Web Application Security: Poking new holes with Flash Crossdomain Policy  
Author: Max : 2006/11/19 Printer Friendly Page Tell a Friend
Poking new holes with Flash Crossdomain Policy 
With the help of the Flash player plugin it is possible for websites to perform cross domain GET and POST requests with simple JavaScript calls. For web developers this gives a whole lot of new possibilities, but from a security point of view it is a very questionable feature.

However it seems Adobe (or former Macromedia) was aware of the danger that arises from supporting cross domain requests, because the Flash player will only allow cross domain requests if a policy file is available on the target domain that allows access from other domains. By default this file is located in the document root directory and is called crossdomain.xml.


NOTE: People seem to misunderstand, that the danger of cross domain requests with flash does not lie in the fact that requests to other sites can be made (this is already possible with normal JavaScript), but in the fact that these requests can be made with modified HTTP headers and that it is also possible to read the response. This defeats all possible protections against Cross Site Request Forgeries.

Read more of this article here .

 
Return to Category | Return To Main Index
Web Application Security: Poking new holes with Flash Crossdomain Policy  



 

NEWS | SECURITY BLOG | TOOLS | DOWNLOADS | TIPS | SITEMAP | TERMS AND CONDITIONS | INTERNET SECURITY SEARCH ENGINE | ADVERTISE ON THIS SITE | CONTACT
Sep '08 | Oct '08 | Nov '08 | Dec '08  Jan '09 | Feb '09 | Mar '09 | Apr '09 | May '09 | Jun '09 | Jul '09 
4000+ Security Software Downloads