Script http-cross-domain-policy

Script types: portrule
Categories: safe, external, vuln

Script Summary

Checks the cross-domain policy file (/crossdomain.xml) and the client-acces-policy file (/clientaccesspolicy.xml) in web applications and lists the trusted domains. Overly permissive settings enable Cross Site Request Forgery attacks and may allow attackers to access sensitive data. This script is useful to detect permissive configurations and possible domain names available for purchase to exploit the application.

The script queries to lookup the domains. This functionality is turned off by default, to enable it set the script argument http-cross-domain-policy.domain-lookup.


Script Arguments


Boolean to check domain availability. Default:false


See the documentation for the slaxml library., http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

  • nmap --script http-cross-domain-policy <target>
  • nmap -p 80 --script http-cross-domain-policy --script-args http-cross-domain-policy.domain-lookup=true <target>

Script Output

8080/tcp open  http-proxy syn-ack
| http-cross-domain-policy:
|   Cross-domain policy file (crossdomain.xml)
|     State: VULNERABLE
|       A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader,
|       etc. use to access data across different domains. A client acces policy file is similar to cross-domain policy
|       but is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request
|       Forgery attacks, and may allow third parties to access sensitive data meant for the user.
|     Check results:
|       /crossdomain.xml:
|         <cross-domain-policy>
|         <allow-access-from domain="*"/>
|         <allow-access-from domain="*"/>
|         <allow-access-from domain="*"/>'
|         </cross-domain-policy>
|       /clientaccesspolicy.xml:
|         <?xml version="1.0" encoding="utf8"?>
|         </accesspolicy>
|           <crossdomainaccess>
|             <policy>
|               <allowfrom httprequestheaders="SOAPAction">
|                 <domain uri="*"/>
|                 <domain uri="*"/>
|                 <domain uri="*"/>
|               </allowfrom>
|               <granto>
|                 <resource path="/" includesubpaths="true"/>
|               </granto>
|             </policy>
|           </crossdomainaccess>
|         </accesspolicy>
|     Extra information:
|       Trusted,,, *,,
|   Use the script argument 'domain-lookup' to find trusted domains available for purchase
|     References:



  • Seth Art <sethsec()gmail>
  • Paulino Calderon <calderon()>
  • Gyanendra Mishra

License: Same as Nmap--See