An Empirical Study on the Security of Cross-Domain Policies in Rich Internet Applications Georgios Kontaxis, Demetris Antoniades, Iasonas Polakis and Evangelos P. Markatos Institute of Computer Science Foundation for Research and Technology, Hellas {kondax,danton,polakis,markatos}@ics.forth.gr ABSTRACT Adobe Flash and Microsoft Silverlight are two widely adopted plat- forms for providing Rich Internet Applications (RIA) over the World Wide Web. The need for RIAs to retrieve content hosted on differ- ent domains, in order to enrich user experience, led to the use of cross-domain policies by content providers. Cross-domain policies define the list of RIA hosting domains that are allowed to retrieve content from the content provider’s domain. Misinterpretation or misconfigurations of the policies may give the opportunity to mali- cious RIAs to access and handle users’ private data. In this paper we present an extensive study on the deployment and security issues of cross-domain policies in the web. Through the examination of a large set of popular and diverse (both geo- graphically and content-wise) websites, we reveal that about 50% (more than 6.500 websites) of the websites that have adopted such policies are vulnerable to attacks. Furthermore, we find such poli- cies in more than 50% of the top 500 websites, examined both globally and per-country. Additionally, we examine local sets of e-shopping websites and find that up to 83% implement weak poli- cies. Interestingly, we observe that the less popular a website is, the higher the probability that it will have a weak policy. Com- pared to previous studies there is an obvious increasing trend in the adoption of RIA but, at the same time, a decreasing trend regarding secure implementations. Through a proof-of-concept attack imple- mentation and a number of real-world examples, we highlight the security impacts of these policy misconfigurations. 1. INTRODUCTION Adobe Flash 1 and Microsoft Silverlight 2 are two popular plat- forms for serving Rich Internet Applications [4] through the web. According to the latest statistics [1, 3], 85 out of the top 100 web- sites serve Flash objects (or Flash movies) to their visitors, 98% of which have the ability to render such objects (53.5% for Sil- verlight). Such applications combine a graphics library and a script- like API to add functionality, content or multimedia features to a 1 http://www.adobe.com/flashplatform/ 2 http://www.silverlight.net Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. EUROSEC’11, 10-APR-2011, Salzburg, Austria Copyright 2011 ACM 978-1-4503-0613-3/11/04 ...$10.00. website. These APIs enable the developer, among other things, to fetch content from remote web locations (e.g. XML data such as RSS feeds, or communicate with a database via a remote PHP page). Flash applications are packaged into objects, embedded in an HTML page and later downloaded and executed within the user’s browser. The ability of RIA platforms for remote content retrieval aims for service enrichment. However, this also reinstates the prob- lem of cross-domain access, i.e., enabling a flash object hosted by domainA to access data residing in domainB. While defense mechanisms have been successfully deployed for traditional web technologies [7], these solutions cannot be applied in the case of RIA platforms. In lieu of these techniques, cross-domain policies were introduced to restrict Flash objects from accessing arbitrary network destinations. Cross-domain policies are XML files that re- side on the server-side and allow per-domain access to Flash object requests on an opt-in basis. Due to the popularity of Adobe Flash for delivering rich content to web users, such policies are often de- ployed. However, those who implement them do not always fully understand them or are unaware of their security implications. A website’s cross-domain policy with weak security properties may permit Flash objects from arbitrary locations to access its con- tents. Consider an attack scenario where an attacker crafts a ma- licious Flash object and places it under http://attacker.com/ malicious.swf. Once victims visit the malicious URL, the ob- ject is loaded in their web browsers and enables the attacker to place arbitrary HTTP requests towards the site with the weak se- curity policy. Since the malicious Flash object is loaded inside the victim’s browser, any HTTP requests it makes are placed in the network from the victim’s computer. Furthermore, the victim’s browser appends the victim’s credentials (e.g. HTTP cookies) to those requests. So, for instance, an attacker can request http: //shopping.com/cart and receive the contents of the victim’s shopping cart, if she is logged in shopping.com. Even worse, an attacker can place a request purchasing an item, using the victim’s credit card which is stored in her account. This paper provides awareness on the use of Adobe Flash and Microsoft Silverlight cross-domain policies. We conduct an ex- tensive study across popular websites and present our findings re- garding the adoption of such policies and their security. We provide real-world examples of policy weaknesses that we came across dur- ing our study. We present a proof-of-concept implementation of an end-to-end attack platform that can exploit such policy vulner- abilities. Finally, we discuss possible approaches to mitigate the problem. The contributions of our work can be summarized as fol- lows: • We provide vulnerability awareness regarding the use of cross- domain Flash and Silverlight web policies.