NetSPI Blog

Defeating CSRF Protections Through Expired cross-domain.xml Domains

Jake Reynolds
February 21st, 2017

When someone buys a domain name the usual purchase length is one year, with certain DNS providers allowing multi-year purchases.  Large entities can quickly lose track of all their domains and keeping track of when those domains expire can be an even bigger hassle.  When you add Flash integration into the mix it starts becoming a security issue.

Adobe Flash has been known to have many vulnerabilities in the past, and my favorite is actually a feature.  Flash has the feature of respecting a cross-domain policy for inter-site communication; the crossdomain.xml file lists valid external domains that can make requests to the Victim Site (VS).  An example crossdomain.xml looks like this:

<cross-domain-policy>
<allow-access-from domain="valid.com"/>
<allow-access-from domain="testing.com"/>
<allow-access-from domain="example.com"/>
</cross-domain-policy>

Any of those sites have full cross-domain access to the VS.  Many blogs have covered the topic of overly-permissive cross domain policies with rules like <allow-access-from domain=”*”/>  that allow access from any site.  This blog will cover the topic of expired domains that are allowed in cross-domain files, allowing an attacker to purchase that domain and gain full cross-domain access.

Cross-Domain Scanner

As stated before, cross-domain exploitation has been well documented so I will link tutorials on defeating CSRF on the expired domains below, here is how we can go about discovering those domains using my crossdomainscanner python script located here.

Prerequisites

~$ git clone https://github.com/NetSPI/crossdomainscanner
~$ cd crossdomainScanner
~$ pip install -r requirements.txt

I’ll start with identifying the VS I would like to scan, for this demo I’ll be using https://jakereynolds.co.  A VS can be found any number of ways and we can verify it has a cross-domain policy by accessing https://jakereynolds.co/crossdomain.xml.   We’ll then feed this into the cross-domain scanner with the command:
python scanner.py https://jakereynolds.co -v

Once the script is finished it will tell us if there are any expired domains in the policy.
Possible expired domains:
asdaasdasfwkjhcjhbwrgkljsv.com
thisisanexpireddomainaswell.es
jakereynoldsexpireddomain.com

We now know that http://jakereynoldsexpireddomain.com can gain cross-domain access to https://jakereynolds.co, instantly eliminating any CSRF protection that might have existed on the site.

Exploitation

The best way to exploit this is to take advantage of the CSRF bypass.  Purchase the expired domain, make someone visit your site, and if they are logged in on the VS you can make requests under the context of their account.  This will be done by creating a Flash application for manipulating requests, more on that here.  If the VS does not have any valuable APIs the cross-domain access does not warrant a valid finding, since nothing can be exploited from it.

Findings

Out of the Top 5000 Alexa domains:

  • 222 allow cross-origin requests from any domain (*)
  • 20 allow cross-origin requests from expired domain names
  • 20 allow cross-origin requests from domains with invalid TLDs (.local, .des, etc…)

Recommendation

As a site owner/maintainer it is best to run this script against your own domain and remove or repurchase any expired domains allowed in your crossdomain.xml file.  For long-term monitoring it would be good to incorporate this tool into your development pipeline so that it gets checked at least once every production deployment.  A permanent fix would be to remove Flash integration with the website, since Flash is already being deprecated in certain browsers.

References

http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html is linked above for a Flash tutorial

In my time researching I discovered a similar tool for this written by @IAmMandatory, you can find that here.

0 0 vote
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments