Using crossdomain.xml file

Damo - Crossdomain. Don't put one up if you don't want applications from other domains to hit your server. COM has a page that lets you transfer money between accounts.

Lets say it has an open crossdomain. COM as usual. On EVIL. COM is a malicious flash app. That app can make a request to BANK. That request will come from the browser just like any other request. That means the app could silently hit that transfer-page.

COM would see the user as already logged in because the request came from a browser that had correctly authenticated, and happily allow it to proceed. Show 1 more comment. Ronnie Liew Ronnie Liew This isn't strictly true; the workaround for the crossdomain file is to proxy all network traffic through the same server hosting your Flash application. Alexandre Victoor Alexandre Victoor 2, 2 2 gold badges 26 26 silver badges 27 27 bronze badges.

James Ward James Ward You might filter by other headers in the request, etc. Richard Haven Richard Haven 1, 16 16 silver badges 29 29 bronze badges. Sign up or log in Sign up using Google. About the Author. Matthew Bryant mandatory Security researcher who needs to sleep more. Opinions expressed are solely my own and do not express the views or opinions of my employer.

A weak crossdomain. It can allow any third party domain to access any sensitive content inside your domain. Depending on the criticality of the application, the risk may vary from Low Risk to High Risk threat. The use of crossdomain. A few among them could include bypassing CSRF protection, stealing credit card details, and account transaction details.

As a third party hacker who is interested in exploiting this vulnerability, one would require building a. The steps are as follows. Step 1: Modify the action script code snippet shown below according to your in-scope application URL.

I then created another WCF svc but when I invoke the async methods in the second svc I get the whole crossdomain. About my other question - I hear that it is a good idea to host any and all WCF services in another server.

One other than the Silverlight app?? Is this good practice when going live? Silverlight use it when it can't find the SL one. Both are serving about the same goal but the SL version is more precise and best suited for use with SL. Of course.. Thanks for the reply I have developed a Silverlight 2 app utilizing WCF service.

When I run the app, it executes a few methods with small amount of data returned just fine, but when it suppose to return some data for the grid not too much - maybe a few megs , it breaks accessing the WCF:.

This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services.

This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details. Basically the policy file should go in the root of your local iis webserver.

As I said it "the client access policy file must be present at the root of the web site" When you are testing localy your app there is no need for a client access policy file, since there is no cross domain calls. Else, the file must be at the root of the web services you're calling.

There is no special place for "vista". There is a special place for any server you're calling : in the root of this server.