Same Origin Policy bypass

ID H1:47495
Type hackerone
Reporter zoczus
Modified 2015-03-27T14:29:12



After small investigation I've probably found something that can be exploited to bypass Same Origin Policy on services (specially your main domain and

First of all - let's take a look about your crossdomain.xml (both for and

<cross-domain-policy> <allow-access-from domain="" to-ports="80"/> <allow-access-from domain="" to-ports="80"/> <allow-access-from domain="" to-ports="80"/> <allow-access-from domain="" to-ports="80"/> <allow-access-from domain="" to-ports="80"/> <allow-access-from domain="" to-ports="80"/> <site-control permitted-cross-domain-policies="all"/> </cross-domain-policy>

After time spent on searching useful files I found flash uploader on which is mentioned in crossdomain.

Few important things about this Flash file (

1) It uses Security.allowDomain("*") which is extreamly dangerous 2) It have interesting callback to ajaxCall() method.

I want to tell you more about ajaxCall() actionscript function - here's snippet:

You can see that before request will go on there are few checks - provided URL must starts with http:// schema, must have before first / (to prevent sending requests to other domain). Bypass is simple here - we can use username@hostname notation - ;-) (r.php returns 301 and redirects us where $_GET['r'] tells).

To make this attack even simpler - ajaxCall() function have js_callback parameter, where we can handle our Cross-Origin response, and parse it.

So the example attack scenario goes like this: 1. Attacker create specially crafted webpage where he embeds uploader9.swf 2. Because of Security.allowDomain('*') we can interact with this file from any domain, so it works. 3. Because ajax() callback we can send requests to any other webpage. 4. Because of crossdomain.xml of we can gain full response from and pass it to our js_callback (that "works" for attacker's origin).

In this scenario I'll call that returns sort of informations about logged in user in JSON format. To watch exploit in action - visit this page: (it requires SSL, sorry for self-signed cert).

Video demonstration: (unlisted one - only me and you have this link)

Thanks for reading it - have a nice day! Jakub Zoczek