univeristy.edu/~attacker/
crossdomain.xml. The policy would apply to requests such as http://public-pages.univeristy.
edu/~attacker/doEvil.html and http://public-pages.univeristy.edu/~attacker/
moreEvil/doMoreEvil.html, but not to pages such as http://public-pages.univeristy
.edu/~someStudent/familyPictures.html or http://public-pages.univeristy.edu/index
.html. However, the directory-based security should not be relied upon.
Security Policy Re?¬‚ ection Attacks
Popularity: 7
Simplicity: 9
Impact: 8
Risk Rating: 8
Policy files are forgivingly parsed by Flash. If an attacker can construct an HTTP
request that results in the server sending back a policy file, Flash will accept the policy
file. For instance, let??™s say an AJAX request to
http://www.university.edu/CourseListing?format=js&callback=
responded with the following:
() { return {name:"English101", desc:"Read Books"},
{name:"Computers101", desc:"play on computers"}};
226 Hacking Exposed Web 2.0
You could then load this policy via the ActionScript:
System.
Pages:
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396