All geek questions in one place

What are the risks of having secure = false in crossdomain.xml

Allowed access from node has an optional "secure" attribute. So say that crossdomain.xml on mysite.com has:

<allow-access-from domain="subdomain.example.com" secure="false">

If this parameter is set to true (the default), the Flash client received via HTTP cannot access data on mysite.com via HTTPS.

I can only think of one risk when setting safe to false: a user with a poisoned host file or DNS server can be redirected to a flash client on fake http://subdomain.example.com . This flash client can now access sensitive data on mysite.com (provided that our user has registered on mysite.com).

Are there any further risks? I assume that the data is still encrypted as the client connects to the https server, so it is protected on transport.

I read the Flash white security paper and it was not included in the risk details: http://www.adobe.com/devnet/flashplayer/articles/flash_player10_security_wp.html

Thanks!

+6
source share
1 answer

Although any data sent to your SWF will be safe (provided that it is connected via HTTPS), data sent to a SWF from a third party will not be protected through this setting, as you already know.

For example, I enter your swf with my social security number. Connecting to SWF is safe , so I am "safe" there. However, your SWF sends login information to your server via HTTP to verify my credentials. Having received valuable data from your server with an insecure connection, security is compromised .

You are safe if the data is not important, but as a rule, I always associated HTTPS with HTTPS whenever possible.

Relations -

+3
source

Source: https://habr.com/ru/post/897960/

More articles:


All Articles