Friday, September 29th, 2006
The Dangers of Cross-Domain Ajax with Flash
<p> In this blog entry, Chris Shiflett takes another look at some of the dangers that can come up with cross-site Ajax via a Flash object embedded in the page. He mentions a previous discussion where Chris points out the filename-specific nature (crossdomain.xml) of this example.Julien (author of the example) replied in the affirmative that this was the case and Chris, amazed that this was the case, gives an example of how it could be exploited (including a test performed on Flickr). He continues on, talking about pulling in others more experienced with Flash to make sure this problem was true. They find it is and even went to far as to create a simulation of the Myspace worm to show its potential for abuse.
Chris also recommends:
If you have a public API and want to allow cross-domain Ajax requests with Flash, be sure to use a separate domain. If the user interface and API operate in the same domain, there’s almost no limit to what an attacker can do.
Related Content:
4 rating from 32 votes
Thanks
Link Listing – October 2, 2006
The Dangers of Cross-Domain Ajax with Flash [Via: Chris Cornutt ] In-Browser Wireframe Prototyping with…
New Links (3 Oct)
Link Stuff Borland Gives Up On Core SDP: I Wonder How Much That Cost 'Em? – Larry O'Brien has
Chris really knows his stuff – thanks buddy.