4.0

61Web Application Penetration TestingTest RIA cross domain policy (OTG-CONFIG-008)SummaryRich Internet Applications (RIA) have adopted Adobe’s crossdomain.xmlpolicy files to allow for controlled cross domain access todata and service consumption using technologies such as OracleJava, Silverlight, and Adobe Flash. Therefore, a domain can grantremote access to its services from a different domain. However,often the policy files that describe the access restrictions arepoorly configured. Poor configuration of the policy files enablesCross-site Request Forgery attacks, and may allow third partiesto access sensitive data meant for the user.What are cross-domain policy files?A cross-domain policy file specifies the permissions that a webclient such as Java, Adobe Flash, Adobe Reader, etc. use to accessdata across different domains. For Silverlight, Microsoft adopted asubset of the Adobe’s crossdomain.xml, and additionally createdit’s own cross-domain policy file: clientaccesspolicy.xml.Whenever a web client detects that a resource has to be requestedfrom other domain, it will first look for a policy file in the targetdomain to determine if performing cross-domain requests, includingheaders, and socket-based connections are allowed.Master policy files are located at the domain’s root. A client maybe instructed to load a different policy file but it will always checkthe master policy file first to ensure that the master policy file permitsthe requested policy file.Crossdomain.xml vs. Clientaccesspolicy.xml|ªMost RIA applications support crossdomain.xml. However in thecase of Silverlight, it will only work if the crossdomain.xml specifiesthat access is allowed from any domain. For more granularcontrol with Silverlight, clientaccesspolicy.xml must be used.Policy files grant several types of permissions:• Accepted policy files (Master policy files can disable or restrictspecific policy files)• Sockets permissions• Header permissions• HTTP/HTTPS access permissions• Allowing access based on cryptographic credentialsAn example of an overly permissive policy file:How can cross domain policy files can be abused?• Overly permissive cross-domain policies.• Generating server responses that may be treated as crossdomainpolicy files.• Using file upload functionality to upload files that may be treatedas cross-domain policy files.Impact of abusing cross-domain access• Defeat CSRF protections.• Read data restricted or otherwise protected by cross-origin policies.How to TestTesting for RIA policy files weakness:To test for RIA policy file weakness the tester should try to retrievethe policy files crossdomain.xml and clientaccesspolicy.xml fromthe application’s root, and from every folder found.For example, if the application’s URL is http: /www.owasp.org, thetester should try to download the files http: /www.owasp.org/crossdomain.xml and http: /www.owasp.org/clientaccesspolicy.xml.After retrieving all the policy files, the permissions allowed shouldbe be checked under the least privilege principle. Requests shouldonly come from the domains, ports, or protocols that are necessary.Overly permissive policies should be avoided. Policies with“*” in them should be closely examined.Example:Result Expected:• A list of policy files found.• A weak settings in the policies.Tools• Nikto• OWASP Zed Attack Proxy Project• W3afReferencesWhitepapers• UCSD: “Analyzing the Crossdomain Policies of FlashApplications” - http: /cseweb.ucsd.edu/~hovav/dist/crossdomain.pdf• Adobe: “Cross-domain policy file specification” -http: /www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html• Adobe: “Cross-domain policy file usage recommendationsfor Flash Player” - http: /www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html• Oracle: “Cross-Domain XML Support” -http: /www.oracle.com/technetwork/java/javase/plugin2-142482.html#CROSSDOMAINXML• MSDN: “Making a Service Available Across Domain Boundaries”