Analyzing the Crossdomain Policies of Flash Applications

Adobe Flash is a rich Internet application platform. Flash applications are often deployed to the Web; The Flash Player plugin is installed on a large fraction of all Webconnected PCs. Flash provides a mechanism by which sites can opt in to more expressive information sharing regimes than the same-origin policy for JavaScript allows. A site that wishes to share its content can host a crossdomain policy file, crossdomain.xml, which lists sites authorized to access the sharing site’s content, or even a wildcard to allow all access. Because browsers will typically attach cookies to crossdomain URL requests made by the Flash Player plugin, a site that publishes a crossdomain policy effectively opts out from some of the confidentiality guarantees of the same-origin policy. In some cases, a misconfigured, overly permissive crossdomain policy can expose a site to attacks such as information disclosure or CSRF. In 2008, Jeremiah Grossman surveyed the crossdomain policies of the Alexa Top 500 sites and the sites of the Fortune 500, and found that 7% hosted crossdomain policy files allowing unrestricted access. In this paper, we repeat Grossman’s survey on a larger corpus of sites: the Alexa global Top 50,000 sites. In addition, we use an instrumented Firefox to survey the actual crossdomain requests issued by Flash content hosted on the front pages of the Alexa global Top 50,000 sites. Our survey provides new data about the use of Flash crossdomain policies on popular sites. For example, we find that approximately 6.0% of the surveyed sites allow unrestricted crossdomain access, including 12 sites in the Alexa Top 100, and that, at a minimum, 6.7% of crossdomain requests made by Flash applications we observed were denied by the target site’s crossdomain policy. Our findings suggest that Flash’s crossdomain policy mechanism may be liable to misconfiguration in practice. We propose some techniques for mitigating the security problems that might arise from such misconfiguration.