comments (not for humans)

[Security] Why you need to lock down your crossdomain.xml

February 21, 2010 - 21:36 CET Most web browsers implement the Same Origin Policy which limits how javascript etc. can interact across domains. Without this policy an attacker could setup a site, and if tricked into visiting it, the attacker could read data from all your logged in sessions (gmail, banking etc.) and perform actions against those sites on your behalf. This policy was seen as a bit to restrictive for flash/flex/silverlight which may need to read data from other domains. Adobe introduced the cross domain policy to address this concern. Unfortunately a lot of sites are not paying attention to what this policy really means.
[...]
0 comment(s) | Permalink | | This entry has been viewed 1690 time(s).
[1 - 1]
About Erlend
I'm a senior consultant at Bekk Consulting AS. This blog is about software development, with a special focus on security.

Follow me on twitter
Latest posts
31.08 [Security] Rails 3.0 and XSS-protection
6.07 [Security] Avoiding NoSQL-injection with MongoDB
27.06 [Security] NOSQL-injection
7.06 [.NET] Microsoft Pex - exploratory testing
18.05 [Security] Security podcasts
Tag cloud
.net, .netspec, adam, ad lds, ajax, asp.net, authorization, axis, bdd, certificates, conference, cookie, craftsman, crossdomain, cross site scripting, csrf, css, escaping, firefox, flash, flex, httponly, input validation, javascript, jquery, jsonp, nosql, nosql-injection, output escaping, owasp, password, phishing, ql-injection, rails, rfi, security, silverlight, spam, speaker, sql-injection, sql injection, ssl, talk, tdd, testing, unit testing, web services, wse, wss4j, x509, xml, xsrf, xss
Categories
All - [RSS]
.NET - [RSS]
Agile - [RSS]
CSS/HTML/Js - [RSS]
Frameworks - [RSS]
Java - [RSS]
Security - [RSS]
Testing - [RSS]
Web Services - [RSS]
Blogroll
Honeynor
BEKK Open
movito
Vidar's musings
Aslak Hellesøy
Geekbeing's rants
Jeremiah Grossman
RSnake
Mike Andrews
Schneier on security
Michael Sutton's blog
Network security blog
On code development
Change is nothing, everything is
leif
hamang.net
Andreas' code blog
The Dilbert Blog
Pearls before swine
(IN)SECURE Magazine