Menu
Forums
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Trending
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Upgrades
Log in
Register
What's new
Search
Search
Search titles only
By:
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Menu
Log in
Register
Navigation
Install the app
Install
More options
Contact us
Close Menu
Forums
Server Development
Habbo Retros
Most retros are vulnerable to CORS misconfiguration
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="BIOS" data-source="post: 453510" data-attributes="member: 15674"><p>The majority of Habbo retros I've looked at are vulnerable to a simple cross domain hijacking vulnerability due to Flash cross domain policy misconfigurations.</p><p></p><p><strong>What does that mean?</strong></p><p>Essentially if your users play multiple hotels, the other hotel can hijack their SSO token from your hotel, view or submit forms on any of your pages (i.e. housekeeping / account settings) authenticated as them in the background by simply visiting their site.</p><p></p><p>[ATTACH=full]9610[/ATTACH]</p><p></p><p><strong>How do you know if you're vulnerable?</strong></p><p>If your crossdomain.xml file looks like the following:</p><p>[CODE=xml]<cross-domain-policy></p><p><allow-access-from domain="*" /></p><p></cross-domain-policy>[/CODE]</p><p></p><p><strong>The fix?</strong></p><p>At the very least, you should remove <allow-access-from domain="<strong>*</strong>" /> from your crossdomain.xml and replace it with config <u>specific to your domain</u>.</p><p></p><p>For example:</p><p>Lax but generally safe: <allow-access-from domain="*<strong>.habboon.pw</strong>" /></p><p>Strict: you can restrict it to a specific sub-domain, i.e. <allow-access-from domain="<strong><a href="http://www.habboon.pw" target="_blank">www.habboon.pw</a></strong>" /></p><p></p><p>This prevents other domains from reading your site via flash.</p><p></p><p>I won't be sharing the POC, don't ask.</p><p></p><p>More details on the topic can be found <a href="https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html" target="_blank">here</a>.</p></blockquote><p></p>
[QUOTE="BIOS, post: 453510, member: 15674"] The majority of Habbo retros I've looked at are vulnerable to a simple cross domain hijacking vulnerability due to Flash cross domain policy misconfigurations. [B]What does that mean?[/B] Essentially if your users play multiple hotels, the other hotel can hijack their SSO token from your hotel, view or submit forms on any of your pages (i.e. housekeeping / account settings) authenticated as them in the background by simply visiting their site. [ATTACH=full]9610[/ATTACH] [B]How do you know if you're vulnerable?[/B] If your crossdomain.xml file looks like the following: [CODE=xml]<cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>[/CODE] [B]The fix?[/B] At the very least, you should remove <allow-access-from domain="[B]*[/B]" /> from your crossdomain.xml and replace it with config [U]specific to your domain[/U]. For example: Lax but generally safe: <allow-access-from domain="*[B].habboon.pw[/B]" /> Strict: you can restrict it to a specific sub-domain, i.e. <allow-access-from domain="[B][URL='http://www.habboon.pw']www.habboon.pw[/URL][/B]" /> This prevents other domains from reading your site via flash. I won't be sharing the POC, don't ask. More details on the topic can be found [URL='https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html']here[/URL]. [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
Server Development
Habbo Retros
Most retros are vulnerable to CORS misconfiguration
Top