This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Test RIA cross domain policy (OTG-CONFIG-008)"

From OWASP
Jump to: navigation, search
Line 3: Line 3:
  
 
== Brief Summary ==
 
== Brief Summary ==
<br>
 
 
Rich Internet Applications (RIA) have adopted Adobe's crossdomain.xml policy files in order to allow for controlled cross domain access to data and service consumption using technologies such as Oracle Java, Silverlight, and Adobe Flash. Therefore, a domain can grant remote access to its services from a different domain. However, often the policy files that describe the access restrictions are poorly configured. Poor configuration of the policy files enables Cross-site Request Forgery attacks, and may allow third parties to access sensitive data meant for the user.  
 
Rich Internet Applications (RIA) have adopted Adobe's crossdomain.xml policy files in order to allow for controlled cross domain access to data and service consumption using technologies such as Oracle Java, Silverlight, and Adobe Flash. Therefore, a domain can grant remote access to its services from a different domain. However, often the policy files that describe the access restrictions are poorly configured. Poor configuration of the policy files enables Cross-site Request Forgery attacks, and may allow third parties to access sensitive data meant for the user.  
  
<br>
 
 
== Description of the Issue ==  
 
== Description of the Issue ==  
 
<br>
 
<br>
Line 12: Line 10:
 
<br>
 
<br>
 
== Black Box testing and example ==
 
== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' <br>
+
'''Testing for RIA policy files weakness:''' <br>
 
...<br>
 
...<br>
 
'''Result Expected:'''<br>
 
'''Result Expected:'''<br>
Line 18: Line 16:
 
== References ==
 
== References ==
 
'''Whitepapers'''<br>
 
'''Whitepapers'''<br>
http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
+
* Adobe: "Cross-domain policy file specification" - http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
 +
* Stefan Esser: "Poking new holes with Flash Crossdomain Policy Files" http://www.hardened-php.net/library/poking_new_holes_with_flash_crossdomain_policy_files.html
 +
* Matt Parsons: "How to find Crossdomain.xml Cross Site Request Forgery with 02" http://parsonsisconsulting.wordpress.com/2010/12/02/how-to-find-crossdomain-xml-cross-site-request-forgery-with-02/
 
<br>
 
<br>
 
'''Tools'''<br>
 
'''Tools'''<br>
 
...<br>
 
...<br>

Revision as of 23:09, 27 November 2012

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


Brief Summary

Rich Internet Applications (RIA) have adopted Adobe's crossdomain.xml policy files in order to allow for controlled cross domain access to data and service consumption using technologies such as Oracle Java, Silverlight, and Adobe Flash. Therefore, a domain can grant remote access to its services from a different domain. However, often the policy files that describe the access restrictions are poorly configured. Poor configuration of the policy files enables Cross-site Request Forgery attacks, and may allow third parties to access sensitive data meant for the user.

Description of the Issue


...here: Short Description of the Issue: Topic and Explanation

Black Box testing and example

Testing for RIA policy files weakness:
...
Result Expected:
...

References

Whitepapers


Tools
...