IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [crossdomain.xml]

A cross-domain policy file is an XML document that grants a web client - such as Adobe Flash Player, Adobe Reader, etc. - permission to handle data across multiple domains.

6 questions
4
votes
1 answer

CSRF Bypass using ActionScript via weak CrossDomain.xml

I have a target which has weak CrossDomain.xml but it prevents CSRF attack looking at one of the custom HTTP headers. I found following actionscript on a couple of websites, which works perfectly except that it doesnt set the header. This…
shellcode
  • 51
  • 3
2
votes
0 answers

Flash Cross-Domain Proof of Concept

In the past, I have been able to successfully test insecure Flash cross-domain policies by using tools such as the followings: https://thehackerblog.com/crossdomain/ https://github.com/nccgroup/CrossSiteContentHijacking The policy is a normal…
Gurzo
  • 1,117
  • 6
  • 18
2
votes
0 answers

cross-domain.xml file: Different policies in different directories

I came across cross-domain xml files on Vimeo and found that there are different policies on different directories. One on https://vimeo.com/settings/crossdomain.xml
one
  • 1,781
  • 3
  • 18
  • 45
1
vote
1 answer

Secure crossdomain for rtmp/flash streaming/wowza

I've been a bit lost. I have the following situation: Flash Player file is on https://sub.example.com/player.swf crossdomain.xml is on https://sub2.example.com/crossdomain.xml Streaming is done using Wowza. The crossdomain.xml right now is…
user857990
  • 903
  • 1
  • 9
  • 21
0
votes
1 answer

Inconsistent behavior while attempting to exploit a misconfigured flash crossdomain.xml

victim.com - URL of the misconfigured application. https://victim.com has an overly permissive crossdomain.xml at https://victim.com/crossdomain.xml.
hax
  • 3,851
  • 1
  • 16
  • 34
0
votes
1 answer

Can I send/receive HTTP requests/responses with a subdomain on a crossdomain.xml file?

(I'll use website.com in place of the actual domain as to not disclose any specific website vulnerability) I noticed on a website that their crossdomain.xml file allowed access from another website with this code:
Jack
  • 471
  • 2
  • 6
  • 18