An empirical study on the security of cross-domain policies in rich internet applications

Abstract

Adobe Flash and Microsoft Silverlight are two widely adopted platforms for providing Rich Internet Applications (RIA) over the World Wide Web. The need for RIAs to retrieve content hosted on different domains, in order to enrich user experience, led to the use of cross-domain policies by content providers. Cross-domain policies define the list of RIA hosting domains that are allowed to retrieve content from the content provider's domain. Misinterpretation or misconfigurations of the policies may give the opportunity to malicious RIAs to access and handle users' private data. In this paper we present an extensive study on the deployment and security issues of cross-domain policies in the web. Through the examination of a large set of popular and diverse (both geographically and content-wise) websites, we reveal that about 50% (more than 6.500 websites) of the websites that have adopted such policies are vulnerable to attacks. Furthermore, we find such policies in more than 50% of the top 500 websites, examined both globally and per-country. Additionally, we examine local sets of e-shopping websites and find that up to 83% implement weak policies. Interestingly, we observe that the less popular a website is, the higher the probability that it will have a weak policy. Compared to previous studies there is an obvious increasing trend in the adoption of RIA but, at the same time, a decreasing trend regarding secure implementations. Through a proof-of-concept attack implementation and a number of real-world examples, we highlight the security impacts of these policy misconfigurations.