Weak crossdomain.xml and its exploitation PoC.

By Paladion

September 14, 2015

What is Crossdomain.xml file?

Everyone has come across a crossdomain.xml file at some point in time, even though most might not know it. In a domain, the crossdomain.xml is a cross-domain policy file which grants your Flash application the permission to communicate with other servers than the one it’s being hosted on.

Without a crossdomain.xml file, access to data is restricted to the domain, essentially preventing data sharing. For a critical web application like a banking application, it is mandatory to configure the crossdomain.xml file properly.

How a weak crossdomai.xml file look like?

A weak crossdomain.xml file may look like something below. It can allow any third party domain to access any sensitive content inside your domain.

weak crossdomain

What is the risk of having weak crossdomain.xml file?

Depending on the criticality of the application, the risk may vary from Low Risk to High Risk threat. The use of crossdomain.xml files, particularly in banks, can allow hackers to gain access to a number of confidential information.

How can a cyber criminal exploit it?

A weak crossdomain.xml file can allow the cybercriminal to access several types of confidential information. A few among them could include bypassing CSRF protection, stealing credit card details, and account transaction details.

How to create PoC to report this vulnerability?

As a third party hacker who is interested in exploiting this vulnerability, one would require building a .swf file and hosting the Flash file on any hosting site.

In the current scenario, the application displays both the “Username” and “Password” once you are logged in to the application. This tutorial will show you how a victim’s credentials can be stolen. The steps are as follows.

Step 1: Modify the action script code snippet shown below according to your in-scope application URL.


Step 2: Compile the above code using Adobe's Flex SDK locally or online by clicking here. You can use the online option as it does not require any installation.

Step 3: Download the compiled .swf file (flasher.swf in this case) and upload it to your webserver’s root directory. For the purpose of this tutorial, the domain will be registered as crossdomain.biz.ht. This is shown in the following screenshot.

poc report

Step 4: Consider the victim has opened the vulnerable application’s page (Tab 1) where the credentials are present, as shown in the screenshot below.

step 4

Step 5:  Assume the victim has opened the hacker’s controlled site in another tab of the same browser, as shown in the screenshot below.

step 5

Step 6: Analyze the traffic of the request and response processed in the victim’s system. You can intercept the traffic using a proxy tool such as “Burp” as depicted in the screenshot below.

step 6

Step 7: Now you (the third party hacker) have access to the victim’s credentials and can do just about anything to your advantage such as draw money from bank accounts and upload malicious software. This is the same way used by other hackers to steal any sensitive information present in the victim’s application and highlight the critical nature of how crossdomain.xml files need to be used with caution.

There are several steps a bank can take to prevent this from happening. In my next blog, we’ll discuss how you can safeguard your applications against such attacks.


About the Author

Bhaskar Borman  is a senior security analyst working with Paladion Networks.

Tags: blog, Best Practices