Insecure Client-Access Policy

low Web App Scanning Plugin ID 98065

Synopsis

Insecure Client-Access Policy

Description

The browser security model normally prevents web content from one domain from accessing data from another domain. This is commonly known as the "same origin policy".

URL policy files grant cross-domain permissions for reading data. They permit operations that are not permitted by default. The URL policy file for Silverlight is located, by default, in the root directory of the target server, with the name `ClientAccessPolicy.xml` (for example, at `www.example.com/ClientAccessPolicy.xml`).

When a domain is specified in `ClientAccessPolicy.xml`, the site declares that it is willing to allow the operators of any servers in that domain to obtain any document on the server where the policy file resides.

The `ClientAccessPolicy.xml` file deployed on this website opens the server to all domains (use of a single asterisk "*" as a pure wildcard is supported) and may allow HTTPS resources to be accessed via HTTP dependant on configuration applied, potentially exposing data that is supposed to be secured via HTTPS to 3rd parties and facilitating man-in-the-middle attacks.

Solution

Carefully evaluate which sites will be allowed to make cross-domain calls.
If http://* wildcard is allowed, evaluate the implications for any data transmitted.
Consider network topology and any authentication mechanisms that will be affected by the configuration or implementation of the cross-domain policy.

See Also

https://docs.microsoft.com/en-us/previous-versions/windows/silverlight/dotnet-windows-silverlight/cc645032%28v=vs.95%29

https://msdn.microsoft.com/en-us/library/cc197955%28v=vs.95%29.aspx

https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_%28OTG-CLIENT-007%29

Plugin Details

Severity: Low

ID: 98065

Type: remote

Published: 3/31/2017

Updated: 11/26/2021

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Low

Base Score: 3.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information