Cross Data Domain crossdomain.xml misconfigurations While doing research on the previous post, I was faced with a security-sandbox feature implemented by Macromedia Flash. It's called Cross Domain data sharing, and it allows the host serving the .swf flash files the opportunity to define which domains can be accessible to/from the flash files themselves. Using the file "crossdomain.xml", you can secure data sharing (variables, and the likes) down to your own *.domain. I've noticed many sites have utilized this technique, and have configured the crossdomain.xml file correctly.

However, in the case of MySpace we saw what kind of dangers could arise from allowing * domains to share data between each other. Using XML HTTP sends, mixed with crossdomain.xml, XSS attacks can be successful on sites that allow users to embed Flash objects into their dynamic pages.

I've bumped into a few other popular sites that have misconfigurations in their crossdomain.xml files, and the list below showcases them (including MySpace):

http://www.myspace.com/crossdomain.xtml
http://xml.amazon.com/crossdomain.xml
http://api.search.yahoo.co.jp/crossdomain.xml
http://www.flickr.com/crossdomain.xml
http://content.gamebookers.com/crossdomain.xml
http://flash.oprah.com/crossdomain.xml
http://advision.webevents.yahoo.com/crossdomain.xml (every allowed domain except for the first is good)
http://www.jabber.org/crossdomain.xml (target servers running on those defined ports)

The example below shows off sites that actually have configured their crossdomain.xml files correctly:

http://dyn.ifilm.com/crossdomain.xml
http://www.neopets.com/crossdomain.xml
http://www.autodesk.com/crossdomain.xml
http://www.washingtonpost.com/crossdomain.xml
http://psc.disney.go.com/crossdomain.xml
http://www.carthage.edu/crossdomain.xml

  ¶ 12/19/2005 12:56:00 PM