Crossdomain.xml Hacking – Proof of Concept Tool After recently looking into how Adobe flash player does cross site requests I noticed that there was a shocking lack of tools to demonstrate crossdomain.xml insecurities. It seems like a pretty easy proof of concept to build so why isn’t there a tool to test this? Naturally I Googled around and couldn’t find anything so I decided to build my own over the weekend. For those not familiar with Crossdomain.xml and how it applies to Flash/Adobe plugins… Taken straight from Adobe’s website: Why do you require a crossdomain.xml file? A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content make requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction. Source: http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html To put it simply, the Adobe flash equivalent of Cross Origin Resource Sharing is accomplished by checking “http://yourdomain.com/crossdomain.xml” file for permissions. So if you have a crossdomain.xml file that looks like this: 1 2 3 You are allowing any random domain to load a flash app which has permissions to do authenticated POST/GET requests on the clients behalf. So if they were logged into a site with a vulnerable crossdomain file they could potentially preform any action on behalf of the user (send money, messages, delete things, all sorts of stuff). It’s like a XSS vulnerability but with a flash requirement (not to make it sound unappealing or anything). I also got the grand opportunity to discover Actionscript and all of it’s fun (missing) features. While trying to build a proof of concept I ran into a ridiculous amount of quirks – everything from not being able to read the response headers to not being able to send a POST request without body data (don’t worry it auto-converts the request to a GET for you). So, if the proof of concept is missing something (like the OPTIONS/DELETE/etc method) check to see if it’s not just an inadvertent HTML5 advertisement. ANYWAYS, enough moaning! Crossdomain.xml Proof of Concept Tool ( This is just an image, click to get to the tool ) ( This is just an image, click to get to the tool ) If you know more than me about Actionscript (if you’ve spent more than a few hours on it you probably do) and see something missing from this tool – let me know and I’ll add it :) Permalink: http://thehackerblog.com/crossdomain/ Till next time, -mandatory Related Posts: More Advanced XSS Denial of Service Attacks? xssless – Automatic XSS Payload Generator A More Universal Router Payload – Backdooring the… The Story of Bob and Mike, or How You Might Get Hacked By… DNS (and ICMP) Tunneling or How to Get Free Wifi at the… Posted in Perimeter Hacking, Web Application Hacking and tagged actionscript hack, adobe proof of concept, crossdomain tester, crossdomain.xml, crossdomain.xml hacking, flash csrf, flash hacking, URLhrequest hacking on April 15, 2014. 2 Comments ← More Advanced XSS Denial of Service Attacks? 2 comments Pasi Salenius May 8, 2014 at 10:44 am Hi Matthew, Could you add a user configurable parameter in the PoC tool for the crossdomain.xml URL? AFAIK this can be specified in the ActionScript code with Security.loadPolicyFile() method. It would make this tool even more useful :) thanks, Pasi Reply mandatory May 9, 2014 at 1:09 am I agree that would be useful – I’ll have to add it when I have time. Reply Leave a Reply Your email address will not be published. Required fields are marked * Name * Email * Website Comment The Author Matthew Bryant (mandatory) @IAmMandatory mandatory(cat)gmail.com Github Repositories San Francisco, CA Recent Posts Crossdomain.xml Hacking – Proof of Concept Tool More Advanced XSS Denial of Service Attacks? A Look Into Creating A Truley Invisible PHP Shell Cryptorbit Decryptor Ransomware Website PHP Source Code Leak A More Universal Router Payload – Backdooring the Linksys WRT54G Firmware Tag Cloud adware bob botnet botnet captcha solving brute force buy dns tunnel captcha comcast injection credential dump csaw 2013 writeup ctf decaptcha dns dns tunnel dns tunnel vpn dump enumeration firefox free wifi get around paid wifi hack.lu ctf hack.lu writeup hacked hacking hackers hacking hack wifi hash human botnet icmp tunnel iodine javascript worm malware mike password hash pastebin php shell pwned site leak subdomain thehackerblog thepiratebay web exploit wordlist xssless xss worm Categories Account Cracking Enumeration Malware & Botnets Network Tunneling Password Cracking Perimeter Hacking Reverse Engineering Reversing Stealth Uncategorized Web Application Hacking