crossdomain.xml – WindowsTechs.com

Inconsistent behavior while attempting to exploit a misconfigured flash crossdomain.xml

Posted on October 4, 2019 by hax

victim.com – URL of the misconfigured application.

https://victim.com has an overly permissive crossdomain.xml at https://victim.com/crossdomain.xml.

<?xml version=”1.0″?>
<!DOCTYPE cross-domain-policy
SYS… Continue reading Inconsistent behavior while attempting to exploit a misconfigured flash crossdomain.xml→

Is this a secure crossdomain.xml setup?

Posted on June 18, 2018 by Jack

<cross-domain-policy>
<site-control permitted-cross-domain-policies=”master-only”/>
<allow-http-request-headers-from domain=”*” headers=”*”/>
<allow-access-from domain=”*” to-ports=”80″/>
<allow-acc… Continue reading Is this a secure crossdomain.xml setup?→

Is this crossdomain file vulnerable?

Posted on September 30, 2017 by WayneXMayersX

I’ve found (probably) a flash cross-domain policy vulnerability. Is this crossdomain file really vulnerable? I mean, the website contains a webpage I should be able to read (in that domain range) which has sensitive data too…. Continue reading Is this crossdomain file vulnerable?→

Can I send/receive HTTP requests/responses with a subdomain on a crossdomain.xml file?

Posted on June 29, 2017 by Jack

(I’ll use website.com in place of the actual domain as to not disclose any specific website vulnerability)

I noticed on a website that their crossdomain.xml file allowed access from another website with this code: <allow-… Continue reading Can I send/receive HTTP requests/responses with a subdomain on a crossdomain.xml file?→

CSRF Bypass using ActionScript via weak CrossDomain.xml

Posted on March 26, 2017 by shellcode

I have a target which has weak CrossDomain.xml but it prevents CSRF attack looking at one of the custom HTTP headers. I found following actionscript on a couple of websites, which works perfectly except that it doesnt set the… Continue reading CSRF Bypass using ActionScript via weak CrossDomain.xml→

Flash Cross-Domain Proof of Concept

Posted on December 20, 2016 by Gurzo

In the past, I have been able to successfully test insecure Flash cross-domain policies by using tools such as the followings:

https://thehackerblog.com/crossdomain/
https://github.com/nccgroup/CrossSiteContentHijacking

The policy is a… Continue reading Flash Cross-Domain Proof of Concept→

Secure crossdomain for rtmp/flash streaming/wowza

Posted on June 7, 2016 by user857990

I’ve been a bit lost. I have the following situation:

Flash Player file is on https://sub.example.com/player.swf

crossdomain.xml is on https://sub2.example.com/crossdomain.xml

Streaming is done using Wowza.

The crossdomai… Continue reading Secure crossdomain for rtmp/flash streaming/wowza→