This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Test RIA cross domain policy (OTG-CONFIG-008)

Revision as of 00:05, 28 November 2012 by Eduardo Castellanos (talk | contribs)

Jump to: navigation, search
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: Back to the OWASP Testing Guide Project:

Brief Summary

Rich Internet Applications (RIA) have adopted Adobe's crossdomain.xml policy files in order to allow for controlled cross domain access to data and service consumption using technologies such as Oracle Java, Silverlight, and Adobe Flash. Therefore, a domain can grant remote access to its services from a different domain. However, often the policy files that describe the access restrictions are poorly configured. Poor configuration of the policy files enables Cross-site Request Forgery attacks, and may allow third parties to access sensitive data meant for the user.

Description of the Issue

What are crossdomain.xml policy files

How can crossdomain.xml poilicy files be abused

Impact of abusing crossdomain.xml policy files

Black Box testing and example

Testing for RIA policy files weakness:
Result Expected:




  • Nikto