Menu
Forums
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Trending
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Upgrades
Log in
Register
What's new
Search
Search
Search titles only
By:
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Menu
Log in
Register
Navigation
Install the app
Install
More options
Contact us
Close Menu
Forums
Server Development
Habbo Retros
Most retros are vulnerable to CORS misconfiguration
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="BIOS" data-source="post: 453541" data-attributes="member: 15674"><p>Nope. If a site has no crossdomain.xml file, it will default to a sane deny by default. If you have one, it will use that as the CORS policy for Flash-based applications - this is different to regular CORS headers (which blocks JavaScript and such from accessing your site cross-origin).</p><p></p><p></p><p>Nope, it should only apply to the sub-domain which it is served from if configured correctly.</p><p></p><p></p><p>Likely lack of knowledge in the area. I know this attack has been used in the past against a few large orgs (i.e. PayPal - was actually used to leak sensitive info such as account balance) some years back.</p><p></p><p>Explanation of how the policies work taken from Adobe docs:</p><p>[ATTACH=full]9613[/ATTACH]</p></blockquote><p></p>
[QUOTE="BIOS, post: 453541, member: 15674"] Nope. If a site has no crossdomain.xml file, it will default to a sane deny by default. If you have one, it will use that as the CORS policy for Flash-based applications - this is different to regular CORS headers (which blocks JavaScript and such from accessing your site cross-origin). Nope, it should only apply to the sub-domain which it is served from if configured correctly. Likely lack of knowledge in the area. I know this attack has been used in the past against a few large orgs (i.e. PayPal - was actually used to leak sensitive info such as account balance) some years back. Explanation of how the policies work taken from Adobe docs: [ATTACH=full]9613[/ATTACH] [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
Server Development
Habbo Retros
Most retros are vulnerable to CORS misconfiguration
Top