| Details | |
|---|---|
| Alert ID | 20016-2 |
| Alert Type | Active |
| Status | beta |
| Risk | High |
| CWE | 264 |
| WASC | 14 |
| Technologies Targeted | All |
| Tags |
CWE-264 OWASP_2017_A06 OWASP_2021_A05 WSTG-V42-CONF-08 |
| More Info |
Scan Rule Help |
Summary
Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.
Solution
Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain send (but not necessarily read) requests to this web server, using <allow-http-request-headers-from domain="example.com" headers="Authorization,X-Blahh">. You should only grant access to "*" (all domains) if you are certain that this service is not vulnerable to Cross Site Request Forgery (CSRF) attacks.Other Info
The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victims web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use.References
- https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
- https://learn.microsoft.com/en-us/previous-versions/windows/silverlight/dotnet-windows-silverlight/cc197955(v=vs.95)
- https://learn.microsoft.com/en-us/previous-versions/windows/silverlight/dotnet-windows-silverlight/cc838250(v=vs.95)