Monday, 9 November 2009
Cross-Origin Resource Sharing
A few days ago Facebook and MySpace fixed some bugs in their crossdomain.xml files that could have
allowed malicious apps to steal user data or do other nefarious things. The crossdomain.xml file allows a site to specify which third party sites are allowed to make cross-domain Flex based AJAX request to that site. This basically disables the same origin policy for allowed sites. Chris Shiflett has a nice write up about the dangers that come along with allowing cross domain AJAX and
Flash.
I wanted to take this opportunity to remind our readers of the lesser known Cross-Origin Resource Sharing (CORS) standard that allows similar behavior. Most new browsers support this standard, so the associated cross-site manipulation vulnerabilities are not limited to Flash. It is a little harder to detect if a site is vulnerable since you can't just request crossdomain.xml. Instead you need to find a resource that uses certain access control headers (See Ajaxian and Mozilla for examples). Now I'm pretty sure only a few sites have adopted this standard, but once the adoption picks up, it's only a matter of time before we see a bunch of advisories about CORS.
I wanted to take this opportunity to remind our readers of the lesser known Cross-Origin Resource Sharing (CORS) standard that allows similar behavior. Most new browsers support this standard, so the associated cross-site manipulation vulnerabilities are not limited to Flash. It is a little harder to detect if a site is vulnerable since you can't just request crossdomain.xml. Instead you need to find a resource that uses certain access control headers (See Ajaxian and Mozilla for examples). Now I'm pretty sure only a few sites have adopted this standard, but once the adoption picks up, it's only a matter of time before we see a bunch of advisories about CORS.
Posted by at 1:08 PM in Fortify
