Vulnerabilities Distributed Non-automatable Tasks
Note: this is an example of a more general class of ‘confused deputy’ problems 18. 5.3.1.1.1.2 Example of Same-origin Violation – Flash Cross Domain Policies
Adobe Flash plug-in software explicitly allows developers to relax the Flash implementation of the same-origin policy using a policy file. This in itself is NOT a vulnerability since it is part of a
deliberate effort to provide a well-defined policy framework for defining when to relax the same- origin policy. The policy file is implemented on the server side by placing a single text file, named
crossdomain.xml, in the root directory of the domain that hosts the web services potentially accessed by Flash files on another domain. Rules in the file specify which domains or IP addresses
can make requests through to this server. NB: it does not cover access to the DOM of the page the flash file is embedded in by flash files. The vulnerability in this example lies in the fact that these
rules also permit the use of wildcards which allow any cross-domain request to be made to content served by this server. Web servers publishing crossdomain.xml files using wildcards are
vulnerable to attacks, as described in The Dangers of Cross-Domain Ajax with Flash 19. The common development approach of ‘how do I make it just work?’ means that policy files with
wildcards are extremely common. Most importantly, in a context where cross-domain access is unrestricted ie, a wildcard has been used in crossdomain.xml, the browser’s same-origin policy can
be bypassed by loading a small SWF Flash file as an XmlHttpRequest proxy.
5.3.1.1.1.3 Online Advertising Networks It is also common for online advertising networks to use various techniques to circumvent the same-
origin policy. Such techniques include:
Http referrer headers: These headers, available to any embedded resource, give away the complete URL of the page the advert is embedded in – this allows advertisers to track surfers and
even to extract personal information from URL variables. This technique is known as web bugging.
Interception at the service provider: Emerging services such as Phorm 20 intercept and append advertisements based on the content.
Use of browser plug-ins: Some plug-ins do not apply the same-origin policy as strictly as the main browser. For example, Adobe Flash allows ‘cross-domain policy files’ which allow advertisers to
circumvent the same-origin policy.