HTTP Cross Domain Policy File Scanner

Details
Stay Up To Date
Asset Type

DOMAIN,IP

Need Membership

No

Asset Verify

No

API Support

Yes

Estimate Time (Second)

15

HTTP Cross Domain Policy File Scanner Detail

This script can be used to find permissive setups and domain names that are available for purchase in order to manipulate the app.

Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.

The script queries instantdomainsearch.com to lookup the domains. This functionality is turned off by default, to enable it set the script argument http-cross-domain-policy.domain-lookup.

References:

  •  

Some Advice for Common Problems

Consider which sites will be permitted to conduct cross-domain calls. Consider the network architecture and any authentication mechanisms that will be impacted by the cross-domain policy's setting or implementation.

Need a Full Assessment?

Get help from professional hackers. Learn about our penetration test service now!

Request Pentest Service