After recently looking into how Adobe flash player does cross site requests I noticed that there was a shocking lack of tools to demonstrate crossdomain.xml insecurities. It seems like a pretty easy proof of concept to build so why isn’t there a tool to test this? Naturally I Googled around and couldn’t find anything so I decided to build my own over the weekend.
For those not familiar with Crossdomain.xml and how it applies to Flash/Adobe plugins…
Taken straight from Adobe’s website:
Incapsula’s blog post about how an “Alexa Top 50″ website suffered an XSS vulnerability which hacker(s) used to attack a victim domain it got me thinking. The attack simply preformed an XMLHttpRequest to the victim domain on a continuous loop to flood the target with rogue GET requests.
The snippet provided by Incapsula:
EDIT: Never had a post with so much split between loving/hating it. I’m enjoying all the constructive criticism though so I guess it’s a win/win either way.
A while ago,
after discovering that a popular hacking site was hosting backdoor scripts that were themselves backdoored, I began to think about how someone would backdoor some PHP code in the most stealthy way.
However, before attempting to create an invisible PHP shell I first had to define
what that looks like. Requirements
Malware & Botnets, Stealth, Uncategorized, Web Application Hacking and tagged backdoor php, php backdoor trick, php shell, php shell hacking, php stealth shell, php tiny shell, php trojan on . April 1, 2014 13 Comments