Details
Alert ID 20016-1
Alert Type Active
Status beta
Risk High
CWE 264
WASC 14
Technologies Targeted All
Tags CWE-264
OWASP_2017_A06
OWASP_2021_A05
POLICY_QA_FULL
WSTG-V42-CONF-08
More Info Scan Rule Help

Summary

Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

Solution

Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using <allow-access-from domain="example.com">. You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data.

Other Info

The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victims web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use.

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/CrossDomainScanRule.java