Posts

Showing posts from March, 2014

Exploiting insecure crossdomain policies to bypass anti-CSRF tokens

In my last post, I mentioned that if a site hosts an insecure crossdomain.xml file, you can exploit that flaw to bypass same origin policy and among other things, you can read anti-CSRF tokens.  Because your Flash object can read the anti-CSRF token, it can extract the token from the response and use it in future requests.  In fact, this is almost identical to how you can bypass CSRF tokens with XSS. I recently came across a popular website that met these criteria, and I created a POC to send to the security team.  The site protected itself against CSRF using anti-CSRF tokens, but they had a wide open crossdomain.xml file.  I'll post the details later, but I wanted to drop the template here, in the event anyone wants to give it a try: // Original POC Author: Gursev Singh Kalra (gursev.kalra@foundstone.com) // Modified to bypass antiCSRF tokens: Seth Art (sethsec@gmail.com) // BypassCSRFchangeEmailAddress .as package { import flash.display.Sprite ; import flash.event

Exploiting misconfigured crossdomain.xml files

Image
An overly permissive crossdomain.xml file on a domain that serves sensitive content is a major security risk. It exposes the domain hosting the improperly configured crossomain.xml file to information disclosure and request forgery. Attackers cannot only forge requests, they can read responses. This means the attacker can retrieve any information the authenticated user has access to, including account information, documents and files, and anti-CSRF tokens if they are used. History This is an old vulnerability. How old? 8 years old. Here is very rough outline of prior research/public discussion: 2006: Chris Shiflett , Julien Couvreur , and Jeremiah Grossman started talking about this publicly. 2008: Jeremiah Grossman revisited the issue. 2010:   Erlend Ofede l wrote about it, and   Mike Bailey gave talk at Blackhat DC. 2011:  Teams from FORTH-ICS , SAP Research , and UC San Diego all released research directly related to crossdomain.xml and the security risks t