I've been reading Chris Shiflett's blog on Dangers of Cross-Domain Ajax with Flash and crossdomain.xml insecurities. This area could potentially make Cross-Site Scripting (CSRF) and Cross-Site Request Forgeries (CSRF) issues a lot worse. A lot depends on the circumstances, but its time to learn a little bit more about this. For background...
< ?xml version="1.0"?>
< !DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
Says Flash Movies on www.bar.com can make asyncronous HTTP Requests to www.foo.com
Says Flash Movies anywhere on foo.com can make asyncronous HTTP Requests to www.foo.com
Says Flash Movies from anywhere can make asyncronous HTTP Requests to www.foo.com. This looks particularly dangerous.
Check this Flash Player TechNote snippet says about it:
"This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies."
Fair enough, but who reads the docs anyway. Let's say you XSS somebody on www.hacker.com to load in a malicious Flash Movie. That movie would have full domain access to www.foo.com provided the wildcard config was in place. One of my first questions was ok while interesting, this is obscure technology, is unlikely to be widely deployed. As such, of nominal risk to the enterprise. To make sure I ran some tests on the websites of the Fortune 500 and the Alexa 100 (US). Here are the stats:
I was surprised at the results. A total of about 8% of the Fortune 500 have crossdomain.xml policy files and 2% of those were wildcarded for any-domain. The Alexa 100 was even more pronounced. About 36% have crossdomain.xml, 6% of which are wildcarded for any-domain. This says to me the risk is there and will likely grow.