This setting allows a malicious actor to steal your user data or forge actions on behalf of your users.
Allowing any domain to have access to this site essentially turns off the browser's "same origin policy" for Flash, Silverlight, and other browser plugins.
This means that if a malicious actor can trick someone into visiting their page on evil.com, they can make requests on that user's behalf to your site and steal data or perform any other operation.
Recommendation
Remove any leading wildcards from domain attributes of allow-access-from elements in your crossdomain.xml.
Alternatively, since the access permissions granted by the cross domain policy are restricted to APIs at the same domain, APIs that could return sensitive data should be hosted at another domain.
For example, if publicly available APIs and the crossdomain.xml are hosted at http://public.domain.com, APIs that could return sensitive data should be hosted at http://private.domain.com.
Vulnerability ID: 1E2X-9NMN-N57T-RBA1
Application Name: AgentMessageGeneratorJava
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/6394f24f-037b-43bb-8ac2-05fa5fb5d862/vulns/1E2X-9NMN-N57T-RBA1
What Happened?
The crossdomain.xml had an overly permissive <allow-access-from> in the following section:
1: <?xml version="1.0"?> 2: <!DOCTYPE cross-domain-policy SYSTEM 3: "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> 4: <cross-domain-policy> 5: <site-control permitted-cross-domain-policies="all"/> 6: <allow-access-from domain="" secure="false"/> 7: <allow-http-request-headers-from domain="" headers="*" secure="false"/> 8: </cross-domain-policy>
What's the risk?
This setting allows a malicious actor to steal your user data or forge actions on behalf of your users.
Allowing any domain to have access to this site essentially turns off the browser's "same origin policy" for Flash, Silverlight, and other browser plugins.
This means that if a malicious actor can trick someone into visiting their page on evil.com, they can make requests on that user's behalf to your site and steal data or perform any other operation.
Recommendation
Remove any leading wildcards from domain attributes of allow-access-from elements in your crossdomain.xml.
Alternatively, since the access permissions granted by the cross domain policy are restricted to APIs at the same domain, APIs that could return sensitive data should be hosted at another domain. For example, if publicly available APIs and the crossdomain.xml are hosted at http://public.domain.com, APIs that could return sensitive data should be hosted at http://private.domain.com.
First Event
(no event)Last Event
(no event)HTTP Request
(No HTTP Request)
References
http://cseweb.ucsd.edu/~hovav/dist/crossdomain.pdf http://www.ics.forth.gr/_publications/crossdomainxml_eurosec11.pdf