Kingdom: Encapsulation

Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.

Silverlight Misconfiguration: Overly Permissive Cross-Domain Policy

C#/VB.NET/ASP.NET

Abstract

The configuration file on the service host defines an overly permissive cross-domain policy.

Explanation

By default, Silverlight applications are subject to the Same-Origin Policy which ensures that a Silverlight application can access data on a service only if they come from the same domain. Silverlight allows developers to alter the policy via appropriate settings in the clientaccesspolicy.xml configuration file on the host. However, caution should be taken when changing the settings because an overly permissive cross-domain policy will allow a malicious applications to communicate with the victim service in an inappropriate way, leading to spoofing, data theft, relay, and other attacks.

Example 1: The following configuration shows clientaccesspolicy.xml using a wildcard to specify with which domains the service is allowed to communicate.


<allow-from http-request-headers="*">
	<domain uri="*"/>
</allow-from>

Using the * as the value of the domain element's uri attribute indicates that applications on any domain can connect to the service.

References

[1] URL Access Restrictions in Silverlight

[2] Network Security Access Restrictions in Silverlight

[3] HTTP Communication and Security with Silverlight: Cross-Domain Communication

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414

[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement

[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[13] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[39] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.configuration.dotnet.silverlight_misconfiguration_overly_permissive_cross_domain_policy