Simon Willison’s Weblog

Blogmarks tagged security, crossdomainxml in 2008

Filters: Type: blogmark × Year: 2008 × security × crossdomainxml ×

Poking new holes with Flash Crossdomain Policy File. This is an old article from 2006 which describes the crossdomain.xml hidden in a GIF exploit I referred to in an earlier post (scroll down to the appendix for an example). As far as I know the Flash Player’s crossdomain.xml parser has been tightened up since. # 1st July 2008, 4:12 pm

Evil GIFs: Partial Same Origin Bypass with Hybrid Files. First there were PNGs that had crossdomain.xml files embedded in them, now there are GIFs that contain Java applets (as JAR files). At this point I’d say don’t even bother trying to validate uploaded files, just make sure they’re served off an entirely different domain instead where XSS doesn’t matter. # 1st July 2008, 8:58 am

Crossdomain.xml Invites Cross-site Mayhem. A useful reminder that crossdomain.xml files should be treated with extreme caution. Allowing access from * makes it impossible to protect your site against CSRF attacks, and even allowing from a “circle of trust” of domains can be fatal if just one of those domains has an XSS hole. # 15th May 2008, 8:06 am