Poking new holes with Flash Crossdomain Policy - Best Security Tips offers daily news, information, advices and tips about spyware, adware, viruses, trojans, web vulnerabilities, hackers, other threats    | Register now | Login
GFI WebMonitor, Internet content filtering tool for SMBs. Download free trial now! 
Bookmark and Share 
Best Tips
Security Scanner
Security Categories
Latest Viruses / Threats
Advertise With Us !
VyprVPN Personal VPN lets you browse securely
Web Application Security: Poking new holes with Flash Crossdomain Policy  
Author: Max : 2006/11/19 Printer Friendly Page Tell a Friend
Poking new holes with Flash Crossdomain Policy 
With the help of the Flash player plugin it is possible for websites to perform cross domain GET and POST requests with simple JavaScript calls. For web developers this gives a whole lot of new possibilities, but from a security point of view it is a very questionable feature.

However it seems Adobe (or former Macromedia) was aware of the danger that arises from supporting cross domain requests, because the Flash player will only allow cross domain requests if a policy file is available on the target domain that allows access from other domains. By default this file is located in the document root directory and is called crossdomain.xml.

NOTE: People seem to misunderstand, that the danger of cross domain requests with flash does not lie in the fact that requests to other sites can be made (this is already possible with normal JavaScript), but in the fact that these requests can be made with modified HTTP headers and that it is also possible to read the response. This defeats all possible protections against Cross Site Request Forgeries.

Read more of this article here .

Return to Category | Return To Main Index
Web Application Security: Poking new holes with Flash Crossdomain Policy