A survey of insecure Flash crossdomain policies – Alexa Top 10,000 case study

EDIT: October, 9th 2015 – added Appendix section.

Just like many other information security consultants, most of my billable time is spent performing web application penetration testing. Also just like every other professional pentester out there, I rely a lot on Burp Suite and its amazing scanner.

More often than not, Burp Scanner comes up with a finding that, under certain conditions, can have a rather high impact but is not commonly exploited: insecure crossdomain.xml file.

In a recent blog post, Matthew “mandatory” Bryant exploited this vulnerability against the popular music service rdio. This inspired me to conduct a survey against Alexa Top 10,000 most visited sites on the web (October 2015) in order to verify how widespread crossdomain vulnerability actually is, as well as hopefully raise awareness about the issue. It is worth mentioning there is some prior art on this exact same topic published in an academic paper from 2011 and a blog post by Zach Bloomquist, but I was not aware of any of them until I started to write the support code for this survey.

The rest of this blog post briefly discusses what crossdomain policy is and how it can affect the security of a website. It also describes all steps necessary to conduct the survey, including the relevant technical details and code, and presents its results.
Continue reading “A survey of insecure Flash crossdomain policies – Alexa Top 10,000 case study”

A survey of insecure Flash crossdomain policies – Alexa Top 10,000 case study