Monthly Archives: December 2016

Bypassing HSTS via Adobe CrossDomain.xml

Bypassing HSTS when Adobe crossdomain.xml is configured to be overly permissive. Synopsis Domains protected by HSTS which use an Adobe CrossDomain Policy (poorly configured) are vulnerable to the very attacks which HSTS is meant to protect against. The issue presents itself when the CrossDomain Policy allows access from domains without HSTS protections. The most damning configurations […]