xml file. We call this an ???open??? security
policy. Open security policies allow malicious Flash applications to do the following:
Chapter 9: Attacking Flash Applications 225
??? Load pages on the vulnerable domain hosting the open security policy via the
XML object. This allows the attacker to read con?¬? dential data on the vulnerable
site, including CSRF protection tokens, and possibly cookies concatenated to
URLs (such as jsessionid).
??? Perform HTTP GET and POST-based CSRF attacks via getURL() function and
the XML object even in the presence of CSRF protection.
The policy file can have any name and be located in any directory. An arbitrary
security policy file is loaded with the following ActionScript code:
System.security.loadPolicyFile("http://public-pages.univeristy.edu/
crossdomain.xml");
System.security.loadPolicyFile() is an ActionScript function in Flash that loads
any URL of any MIME type and attempts to read the security policy in the HTTP
response. If the policy file is not in the server??™s root directory, then the policy applies
only to the directory that contains the policy file, plus all its subdirectories. For instance,
suppose the policy file was located in http://public-pages.
Pages:
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395