4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
61<br />
Web Application Penetration Testing<br />
Test RIA cross domain policy (OTG-CONFIG-008)<br />
Summary<br />
Rich Internet Applications (RIA) have adopted Adobe’s crossdomain.xml<br />
policy files to allow for controlled cross domain access to<br />
data and service consumption using technologies such as Oracle<br />
Java, Silverlight, and Adobe Flash. Therefore, a domain can grant<br />
remote access to its services from a different domain. However,<br />
often the policy files that describe the access restrictions are<br />
poorly configured. Poor configuration of the policy files enables<br />
Cross-site Request Forgery attacks, and may allow third parties<br />
to access sensitive data meant for the user.<br />
What are cross-domain policy files?<br />
A cross-domain policy file specifies the permissions that a web<br />
client such as Java, Adobe Flash, Adobe Reader, etc. use to access<br />
data across different domains. For Silverlight, Microsoft adopted a<br />
subset of the Adobe’s crossdomain.xml, and additionally created<br />
it’s own cross-domain policy file: clientaccesspolicy.xml.<br />
Whenever a web client detects that a resource has to be requested<br />
from other domain, it will first look for a policy file in the target<br />
domain to determine if performing cross-domain requests, including<br />
headers, and socket-based connections are allowed.<br />
Master policy files are located at the domain’s root. A client may<br />
be instructed to load a different policy file but it will always check<br />
the master policy file first to ensure that the master policy file permits<br />
the requested policy file.<br />
Crossdomain.xml vs. Clientaccesspolicy.xml<br />
|ªMost RIA applications support crossdomain.xml. However in the<br />
case of Silverlight, it will only work if the crossdomain.xml specifies<br />
that access is allowed from any domain. For more granular<br />
control with Silverlight, clientaccesspolicy.xml must be used.<br />
Policy files grant several types of permissions:<br />
• Accepted policy files (Master policy files can disable or restrict<br />
specific policy files)<br />
• Sockets permissions<br />
• Header permissions<br />
• HTTP/HTTPS access permissions<br />
• Allowing access based on cryptographic credentials<br />
An example of an overly permissive policy file:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
How can cross domain policy files can be abused?<br />
• Overly permissive cross-domain policies.<br />
• Generating server responses that may be treated as crossdomain<br />
policy files.<br />
• Using file upload functionality to upload files that may be treated<br />
as cross-domain policy files.<br />
Impact of abusing cross-domain access<br />
• Defeat CSRF protections.<br />
• Read data restricted or otherwise protected by cross-origin policies.<br />
How to Test<br />
Testing for RIA policy files weakness:<br />
To test for RIA policy file weakness the tester should try to retrieve<br />
the policy files crossdomain.xml and clientaccesspolicy.xml from<br />
the application’s root, and from every folder found.<br />
For example, if the application’s URL is http: /www.owasp.org, the<br />
tester should try to download the files http: /www.owasp.org/<br />
crossdomain.xml and http: /www.owasp.org/clientaccesspolicy.<br />
xml.<br />
After retrieving all the policy files, the permissions allowed should<br />
be be checked under the least privilege principle. Requests should<br />
only come from the domains, ports, or protocols that are necessary.<br />
Overly permissive policies should be avoided. Policies with<br />
“*” in them should be closely examined.<br />
Example:<br />
<br />
<br />
<br />
Result Expected:<br />
• A list of policy files found.<br />
• A weak settings in the policies.<br />
Tools<br />
• Nikto<br />
• OWASP Zed Attack Proxy Project<br />
• W3af<br />
References<br />
Whitepapers<br />
• UCSD: “Analyzing the Crossdomain Policies of Flash<br />
Applications” - http: /cseweb.ucsd.edu/~hovav/dist/<br />
crossdomain.pdf<br />
• Adobe: “Cross-domain policy file specification” -<br />
http: /www.adobe.com/devnet/articles/crossdomain_policy_<br />
file_spec.html<br />
• Adobe: “Cross-domain policy file usage recommendations<br />
for Flash Player” - http: /www.adobe.com/devnet/flashplayer/<br />
articles/cross_domain_policy.html<br />
• Oracle: “Cross-Domain XML Support” -<br />
http: /www.oracle.com/technetwork/java/javase/<br />
plugin2-142482.html#CROSSDOMAINXML<br />
• MSDN: “Making a Service Available Across Domain Boundaries”