DerbyCon 4.0 – SWF Seeking Lazy Admin for Cross Domain Action

Abstract: Security misconfiguration is #5 on the OWASP 2013 Top 10. This talk shows how the misconfiguration of one file can compromise the security of an entire web application.

In the talk, youll be introduced to the crossdomain.xml file.  This file determines how third party Flash Objects (SWFs) hosted on other domains can interact with your domain. Unfortunately, this file requires manual configuration on the part of the administrator, and as we all know, when manual configuration is required, mistakes happen.Sometimes, administrators give up and whitelist the entire internet in order to “make it work”. This is essentially like adding an “accept all” rule on your firewall or setting your password to <blank>. 

Print Share Comment Cite Upload Translate

APA

() » DerbyCon 4.0 – SWF Seeking Lazy Admin for Cross Domain Action. Retrieved from https://www.truth.cx/2014/10/10/derbycon-4-0-swf-seeking-lazy-admin-for-cross-domain-action/.

MLA

" » DerbyCon 4.0 – SWF Seeking Lazy Admin for Cross Domain Action." - , https://www.truth.cx/2014/10/10/derbycon-4-0-swf-seeking-lazy-admin-for-cross-domain-action/

HARVARD

» DerbyCon 4.0 – SWF Seeking Lazy Admin for Cross Domain Action., viewed ,

VANCOUVER

- » DerbyCon 4.0 – SWF Seeking Lazy Admin for Cross Domain Action. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2014/10/10/derbycon-4-0-swf-seeking-lazy-admin-for-cross-domain-action/

CHICAGO

" » DerbyCon 4.0 – SWF Seeking Lazy Admin for Cross Domain Action." - Accessed . https://www.truth.cx/2014/10/10/derbycon-4-0-swf-seeking-lazy-admin-for-cross-domain-action/

IEEE

" » DerbyCon 4.0 – SWF Seeking Lazy Admin for Cross Domain Action." [Online]. Available: https://www.truth.cx/2014/10/10/derbycon-4-0-swf-seeking-lazy-admin-for-cross-domain-action/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <b>Abstract: </b>Security misconfiguration is #5 on the OWASP 2013 Top 10. This talk shows how the misconfiguration of one file can compromise the security of an entire web application.<br /><br />In the talk, youll be introduced to the crossdomain.xml file.  This file determines how third party Flash Objects (SWFs) hosted on other domains can interact with your domain. Unfortunately, this file requires manual configuration on the part of the administrator, and as we all know, when manual configuration is required, mistakes happen.Sometimes, administrators give up and whitelist the entire internet in order to "make it work". This is essentially like adding an "accept all" rule on your firewall or setting your password to <blank>. </blank><br /><div><br /></div><div>We will review how to identify the vulnerability, how to abuse it, and how to write your own SWFs that exploit the flaw. Examples of public sites that until recently contained this vulnerability will be provided, including a few from the Alexa Top 100.<br /><div><span style="font-family: Arial; font-size: 12px; line-height: 15px; text-align: -webkit-center;"><br /></span></div><div><br /></div><center><iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/v_5dTJYjSMA" width="560"></iframe></center><div class="separator" style="clear: both; text-align: center;"><br /></div><div><br /></div></div> First name:

Last name: