Last year when I participated in a bug bounty program, I have found a web application that hosted a vulnerable
.swf on their CDN. My PoC abuses the CDN as the intermediate from the web app to attacker host.The PoC abuses robotlegs-framework-v1.5.2 a vulnerable ActionScript Application Framework which allows SoP bypass.
It is not typical to exploit it (to read the HTTP Response of the vulnerable web app) because the vulnerable
.SWF file is hosted on the CDN. In addition, the attacker can only do SOP bypass on the CDN. However, a
crossdomain.xml policy of the vulnerable app allowed cross domain communication between the vulnerable web app and it’s CDN.