Friday, September 29th, 2006

The Dangers of Cross-Domain Ajax with Flash

Category: Ajax, Flash

In this blog entry, Chris Shiflett takes another look at some of the dangers that can come up with cross-site Ajax via a Flash object embedded in the page. He mentions a previous discussion where Chris points out the filename-specific nature (crossdomain.xml) of this example.

Julien (author of the example) replied in the affirmative that this was the case and Chris, amazed that this was the case, gives an example of how it could be exploited (including a test performed on Flickr). He continues on, talking about pulling in others more experienced with Flash to make sure this problem was true. They find it is and even went to far as to create a simulation of the Myspace worm to show its potential for abuse.

Chris also recommends:

If you have a public API and want to allow cross-domain Ajax requests with Flash, be sure to use a separate domain. If the user interface and API operate in the same domain, there’s almost no limit to what an attacker can do.

Posted by Chris Cornutt at 7:51 am

3.9 rating from 37 votes


Comments feed TrackBack URI


Comment by Paul — September 29, 2006

Link Listing – October 2, 2006

The Dangers of Cross-Domain Ajax with Flash [Via: Chris Cornutt ] In-Browser Wireframe Prototyping with…

Trackback by Christopher Steen — October 3, 2006

New Links (3 Oct)

Link Stuff Borland Gives Up On Core SDP: I Wonder How Much That Cost 'Em? – Larry O'Brien has

Trackback by Hulkster — October 3, 2006

Chris really knows his stuff – thanks buddy.

Comment by public domain — May 28, 2007

Leave a comment

You must be logged in to post a comment.