Crossdomain.xml Hacking – Proof of Concept Tool

After recently looking into how Adobe flash player does cross site requests I noticed that there was a shocking lack of tools to demonstrate crossdomain.xml insecurities. It seems like a pretty easy proof of concept to build so why isn’t there a tool to test this? Naturally I Googled around and couldn’t find anything so I decided to build my own over the weekend.

For those not familiar with Crossdomain.xml and how it applies to Flash/Adobe plugins…

Taken straight from Adobe’s website:
Continue reading

More Advanced XSS Denial of Service Attacks?

After reading Incapsula’s blog post about how an “Alexa Top 50″ website suffered an XSS vulnerability which hacker(s) used to attack a victim domain it got me thinking. The attack simply preformed an XMLHttpRequest to the victim domain on a continuous loop to flood the target with rogue GET requests.

The snippet provided by Incapsula:
Continue reading

A Look Into Creating A Truley Invisible PHP Shell

EDIT: Never had a post with so much split between loving/hating it. I’m enjoying all the constructive criticism though so I guess it’s a win/win either way.

A while ago, after discovering that a popular hacking site was hosting backdoor scripts that were themselves backdoored, I began to think about how someone would backdoor some PHP code in the most stealthy way.

However, before attempting to create an invisible PHP shell I first had to define what that looks like.

Requirements

Continue reading