3

1) If a web application does NOT use any Flash content, does it require crossdomain / clientacess policy file ?

2) If a web application does not host crossdomain / clientaccess policy file, is it vulnerable ?

2 Answers2

2

Short answers : 1.) no not a requirement 2.) yes via authenticated client browsers being manipulated.

SilverlightFox is correct in that the crossdomain.xml is not a web application requirement. Per Adobe's website the crossdomain.xml is a policy in the form of an XML file which "grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains"[1].

That said it's more geared toward the protection related to client-behavior and not the servers themselves but client security is important as you don't want a third party bad actor attacking your website via an authenticated client.

Likewise it may be an organizational policy to have one for all webserver deployments just on the off-chance flash is used or is uploaded to the site via some other type of attack but from a purely technology perspective it certainly isn't a requirement to protect the server itself.

The real security concern around the crossdomain.xml issue is when a flash client receives malicious commands from a malicious flash server which could cause the client to make requests from your server using the clients credentials. In this case if you accidentally had a misconfigured crosssdomain.xml file such as

This would allow the commands from a malicious server to be executed as the authenticated client connected to your site giving an attacker access to your server via that users session. If you have sensitive data this would be a problem.

To protect from this it would greatly help to have a correctly configured crossdomain.xml restricting these actions to your domain or a specific host.

The following website goes into this issue in greater detail but as a quick answer to your question yes there is value in this security-wise.

http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html

Cross Domain Policy File Specification:

http://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf

[1] Quoted Adobe article on setting up a crossdomain.xml policy file:

http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
0

No, crossdomain.xml relaxes Flash's default cross-domain policy.

Lack of a file will enforce default restrictions.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • @SilverlightFox "lack of a file will enforce default restrictions". That's exactly what bothers me. The default restrictions of some local application on a client will apply. Isn't it good to always throw a strict crossdomain.xml file in every public folder of vhosts? So that it doesn't rely on the client but it will always stick to the server's "default, strict, none" policy? In addition to your answer here: http://security.stackexchange.com/questions/86626/will-a-crossdomain-xml-file-reduce-a-potential-security-risk. – Bob Ortiz Jun 30 '16 at 18:11