Http X Permitted Cross Domain Unsafe
Description
Detects insecure X-Permitted-Cross-Domain-Policies header configurations that could allow cross-domain access to sensitive resources. When this header is present but not set to 'none', it may enable potentially dangerous cross-domain access through crossdomain.xml or clientaccesspolicy.xml files, which could lead to unauthorized data exposure.
Weakness:
137 - Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
Category: Protocol Manipulation
Detection Strategy
• Examines the HTTP response headers for presence of X-Permitted-Cross-Domain-Policies header
• Reports a vulnerability if the header is present and its value is not explicitly set to 'none' (case insensitive)
• The check applies to all HTTP responses from the web application
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.