Hacking Silverlight part 2

My trip down hackers lane continues. Read part 1 here where I discovered the Csla WcfPortal is used. Before starting my “attack” I do some recon.

Silverlight has a build-in security step that requests the clientaccesspolicy.xml file before allowing a connection to a network resource. When that request fails the crossdomain.xml file is requested. Both files exist on the host of the Silverlight Portal. I could host a XAP on a bogey server and no bells would go off accessing the WcfPortal.

Clientaccesspolicy.xml

The content of the clientaccesspolicy file below allows access to all network resources (like services) on the host. By editing the highlighted line to contain something like uri=”http://my.domain.com/” only a XAP file hosted on my.domain.com port 80 has access to the network sources.
💡 TIP: use the domain of the source parameter from the object tag in the html page that embeds the XAP.

<?xml version="1.0" encoding="utf-8" ?> 
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="*">
        <domain uri="*" /> 
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true" /> 
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

Also the access to all resources is granted in the grant-to section on line 9. Maybe some restriction could be applied there as well. Like the Services directory where the WcfPortal lives.

Crossdomain.xml

Silverlight uses the Adobe file crossdomain as fallback when the clientaccesspolicy is not available. Only when the file grants unresticted access, like the code below, Silverlight uses the file.

<?xml version="1.0" encoding="utf-8" ?> 
<cross-domain-policy>
  <allow-access-from domain="*" /> 
  <allow-http-request-headers-from domain="*" headers="*" /> 
</cross-domain-policy>

No changes should be made, except maybe remove the file.

Are these files a security risk? They might be. Think about restricting access as another hurdle a hacker must take and how much it would be in your way.

About erictummers

Working in a DevOps team is the best thing that happened to me. I like challenges and sharing the solutions with others. On my blog I’ll mostly post about my work, but expect an occasional home project, productivity tip and tooling review.

View all posts by erictummers →

2 Responses to Hacking Silverlight part 2

Pingback: Hacking Silverlight part 3 | Erictummers's Blog
Arthur says:

November 9, 2012 at 12:55 pm

Hi, I like to ask for help. I watch silverlight Playready DRM protected videos over internet. I downloaded all them to watch offline, but they don’t open over any mac os x media player or windows media player because DRM. I like to know how to cache them. When I authenticate over website and load the video on web browser player, I can play, pause, sleep the computer, disconnect from internet and continuing have access to play pause the video. If I change the video, I am requested to new authentication over silverlight servers. How can I cache the silverlight to watch offline? I have no memory to open dozens of tabs on the browser, pause all videos and watch them latter. Can I use other method or force silverlight to use same request and response over proxy like Charles? I like to watch them in a place without internet connection.
thanks.