BSides DC 2014 - SWF Seeking Lazy Admin for Cross-Domain Action

Описание: Security misconfiguration is currently #5 on the OWASP 2013 Top 10. This talk shows how the misconfiguration of one file can compromise the security of an entire web application.

In the talk, you’ll be introduced to the crossdomain.xml file. This file determines how third party Flash Objects (SWFs) hosted on other domains can interact with your domain. Unfortunately, this file requires manual configuration on the part of the administrator, and as we all know, when manual configuration is required, mistakes happen. Sometimes, administrators give up and whitelist the entire internet in order to “make it work”. This is essentially like adding an “accept all” rule on your firewall or setting your password to .

We will review how to identify the vulnerability, how to abuse it, and how to write your own SWFs that exploit the flaw. Examples of public sites that until recently contained this vulnerability will be provided, including a few from the Alexa Top 100.

Seth Art (Senior Consultant at Blue Canopy Group)
Seth Art is an Senior Consultant with Blue Canopy Group, LLC. After four years of performing application security testing and assessments, he still can't believe he gets paid to break thing and then tell people about it. He is addicted to learning, but has to come to terms with the fact that he will never be able to learn everything. Prior to joining Blue Canopy, Seth was a Principal Security Engineer at Symantec Managed Security Services, where he spent all of this time "unbreaking" things, particularly firewalls and intrusion detection systems. You can occasionally find Seth at NovaHackers and OWASP DC meetings.