2

I read a lot about cross-site scripting with Flash, Javascript etc. and also found several lists with websites that have a crossdomain.xml that allows access from any server. For example flickr.com trusts all domains.

Can somebody explain me why this seems to be secure and doesn't lead to attacks like session-hijacking? Is it because those crossdomain.xml is only valid on subdomains, that don't make it possible for an attacker to get the session key?

Bob
  • 999
  • 1
  • 9
  • 12

1 Answers1

5

Using crossdomain.xml files can be very dangerous and can open websites up to serious attacks. There are two rules of thumb to prevent crossdomain policies from opening up security holes:

  1. Never put a crossdomain policy file on an intranet site
  2. Never put a crossdomain policy file on a site that uses cookies

A valid use of a crossdomain policy file is on a site like api.flickr.com where there are only services which do not use cookies.

James Ward
  • 29,283
  • 9
  • 49
  • 85
  • 2
    +1 The key point is that api.flickr.com does not use cookies for its services, and so an attacker website cannot misuse the users credentials. – Sripathi Krishnan Sep 14 '10 at 14:24