During this presentation, Kevin Johnson and Mike Poor, focused on examples using features of client applications. They explained that SWF has wide-spread support, and ActionScript adds powerful feature sets that can be used for cross domain attacks. Johnson and Poor used a simple Python “scanner script” to demonstrate an attack using these basic steps: read the Alexa Top 1 million domains list, compare the domain to the Google Safe List and discard if not listed, and retrieve and parse crossdomain.xml.