The Dangers of Flash's crossdomain.xml
PHP security guru Chris Shiflett has a great post about the dangers of Cross Domain Flash. If you have implemented a
crossdomain.xml file you will want to read his post.
If you have a
crossdomain.xml file on your domain, and you allow access from ALL domains, then you are essentially opening that domain up to Cross Site Request Forgery attacks.
Chris found that flickr had a
crossdomain.xml file setup to allow flash applications to be built using the Flickr API. The problem is that you can write a flash application that would allow almost any action a logged in flickr user could perform.
Flickr has fixed the problem by moving the API endpoint, and
api.flickr.com, instead of running under something like
flickr.com/api. Now a flash application can't make calls to flickr.com from another domain.
The moral of the story is to make sure that your API runs on a different domain from your public web site if you are going to implement a
- csrfVerifyToken does not invalidate the token - February 6, 2019
- HackMyCF.com Now Detects BlazeDS Vulnerability - April 27, 2010
- Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
- Announcing Web Application Firewall for ColdFusion - July 9, 2007
- MySpace Hacked with CSRF and XSS - October 13, 2005
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained