Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Proof of concept code (which means poor code quality) for a proxy abusing unrestricted cross domain policies.

branch: master
README
This is a Proof-Of-Concept and thus the code quality is very poor
and it has some limitations (see below).
Any help in approving it appreciated.

Brief overview
--------------
The backend is what the attacker's browser connects to on port 8080
The silverlight or flex RIA connects to the backend on a seperate
download port. This port is set when starting the backend, and it
must be 4502-4530 for silverlight (for flex it can be almost any port).
The backend forwards the url to either the flex/silverlight RIA which
runs in the victim's browser. The RIA downloads the data on behalf of
the victim (using the victim's cookies etc.), and passes the data back
to the backend, which then sends it back to the attacker.

To be able to connect to a socket, the flex or silverlight RIA tries
to download a socket policy file on port 843 and 943 respectively.
So the backend listens on these ports and supplies files as needed.
If the flex RIA is not able to connect to 843, it will try to download
the socket policy through the download port mentioned above.

Current limitations
-------------------
- The proxy runs the requests as a FIFO - not multithreaded

Something went wrong with that request. Please try again.