Flash Crossdomain.xml Security

Tag: flash , security , crossdomain.xml Author: wdsaf45 Date: 2012-11-28

How can I hide the IP Address from crossdomain.xml file and give access to all the client IPs to access the server data from web server application.

Here is an example

The following are the client IPs 121.171.1.181 121.171.1.182 121.171.1.183 121.171.1.184

All the above client have demo.swf installed which has following url http://www.test.com/data.txt file to get the data to use in demo.swf file

Note: (I have 100 of client IPs in the production scenario)

Web Server www.test.com and following crossdomain.xml is located in the root

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">  
<cross-domain-policy>
    <allow-access-from domain="121.171.1.181" secure="false" to-ports="80" />
    <allow-access-from domain="121.171.1.182" secure="false" to-ports="80" />
    <allow-access-from domain="121.171.1.183" secure="false" to-ports="80"  />
    <allow-access-from domain="121.171.1.184" secure="false" to-ports="80"  />
        <allow-http-request-headers-from domain="121.171.1.181" headers="*"  secure="false"/>
        <allow-http-request-headers-from domain="121.171.1.182" headers="*" secure="false" />
        <allow-http-request-headers-from domain="121.171.1.183" headers="*" secure="false" />
        <allow-http-request-headers-from domain="121.171.1.184" headers="*" secure="false" />
</cross-domain-policy> 

Problem: The security scanning software scans show the Internal IP Address identified in crossdomain.xml file.

How to hide the IP address in the crossdomain.xml file and allow all clients access the http://www.test.com/data.txt file.

Other Answer1

So, I'm not quite sure why your security scanning software cares about IP addresses in that file, but I'll assume that it does, and attempt to give you a possible answer.

One way to not have to use IP addresses is by creating DNS records as identifiers, instead of using the IP address. DNS's purpose in life is to let you type stuff like "www.microsoft.com" instead of "65.55.57.27".

So, if you have access to a DNS server you could theoretically assign DNS addresses to those pesky IP addresses, and then put the DNS names in the file instead of IP addresses.

So, if you set up your DNS to map:

 121.171.1.181 to node1.mydomain.com
 121.171.1.182 to node2.mydomain.com

etc... then your XML could look like:

<?xml version="1.0"?>
 <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">  
 <cross-domain-policy>
     <allow-access-from domain="node1.mydomain.com" secure="false" to-ports="80" />
     <allow-access-from domain="node2.mydomain.com" secure="false" to-ports="80" />
     <allow-access-from domain="node3.mydomain.com" secure="false" to-ports="80"  />
     <allow-access-from domain="node4.mydomain.com" secure="false" to-ports="80"  />
         <allow-http-request-headers-from domain="node1.mydomain.com" headers="*"  secure="false"/>
         <allow-http-request-headers-from domain="node2.mydomain.com" headers="*" secure="false" />
         <allow-http-request-headers-from domain="node3.mydomain.com" headers="*" secure="false" />
         <allow-http-request-headers-from domain="node4.mydomain.com" headers="*" secure="false" />
 </cross-domain-policy> 

Good luck, Adam Hoffman

http://www.stratospher.es - My Windows Azure Blog @stratospher_es - The Twittererer

comments:

Thanks for your reply. But I can not access DNS Server and it is not possible to create DNS records for all the clients.