[osflash] crossdomain security holes

Geoff Stearns geoff at deconcept.com
Fri Oct 20 14:15:46 EDT 2006 

the real lesson to learn here is simple:

never create a crossdomain.xml that allows any site to connect to  
yours. no asterisks!

if you absolutely have to do it, put it on a separate domain that  
can't be used to access other normal site operations.




On Oct 19, 2006, at 4:57 PM, Evert|Rooftop wrote:

> Micha,
>
> The best way to get around any possible crossdomain issues is the  
> following:
>
>     * filter everything well on the html side, just like you  
> usually do
>       for XSS-type attacks
>     * if you are using html blacklisting.. you might want to scan for
>       crossdomain information that might be embedded
>     * If you deal with uploaded files, make sure those files are only
>       accessible in a subdirectory thats not part of the same tree as
>       the urls you use to perform 'actions' such as handling of new  
> user
>       information, posting comments etc etc.
>
> The points above apply to all web applications, not just flash- 
> enabled ones.
>
> If you want an all-access amf gateway or other stuff accessible to  
> flash
> do it on a separate domain (api.yourdomain.com) and don't use the same
> sessions as the html web applications.
>
> Evert
>
> Michael Stuhr wrote:
>> Peter Elst schrieb:
>>
>>
>>> Is this what you were referring to Micha? know this blog post by  
>>> Martijn
>>> went around a few times to explain the concept:
>>>
>>> http://www.martijndevisser.com/blog/article/why-crossdomainxml-is- 
>>> a-good-thing
>>>
>>>
>> nope, it was mike chambers who said sth about that. martijns is  
>> definately good, but i
>> really understood it when mike explained this. since i do most of  
>> my job-time html+css i
>> forgot about this and now i have spent some months on coding a  
>> flash-based extranet which
>> makes use of crossdomain. i'm usure now, what i shall do.
>>
>> micha
>>
>> _______________________________________________
>> osflash mailing list
>> osflash at osflash.org
>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>
>>
>
>
> _______________________________________________
> osflash mailing list
> osflash at osflash.org
> http://osflash.org/mailman/listinfo/osflash_osflash.org

More information about the osflash mailing list