Soroush Dalili (@irsdl) – سروش دلیلی

Web AppSec ninja, a semicolon enthusiast!

Skip to content
  • Home
  • Advisories
  • Privacy Policy

Flash it baby!

A guideline for penetration testers to find vulnerabilities in Flash files was presented in BSides Manchester 2016.

The slides can be found at:

Flash it baby! from Soroush Dalili

The PowerPoint file can be downloaded from:

https://soroush.secproject.com/downloadable/flash_it_baby_v2.0.pptx

This entry was posted in Security Posts and tagged flash, flash xss, swf on October 1, 2016 by Soroush Dalili.

Post navigation

← Common Security Issues in Web-Based Payment Systems (& Gambling Apps) Using Firefox Profiles in Security Testing →

Social

Follow me on:

Recent Posts

  • My MDSec Blog Posts so far in 2020! October 31, 2020
  • File Upload Attack using XAMLX Files September 21, 2019
  • Uploading web.config for Fun and Profit 2 August 15, 2019
  • IIS Application vs. Folder Detection During Blackbox Testing July 9, 2019
  • Danger of Stealing Auto Generated .NET Machine Keys May 10, 2019
  • x-up-devcap-post-charset Header in ASP.NET to Bypass WAFs Again! May 4, 2019
  • Exploiting Deserialisation in ASP.NET via ViewState April 23, 2019
  • Yet Other Examples of Abusing CSRF in Logout April 23, 2019
  • How to win BIG and even more! April 17, 2019
  • Finding and Exploiting .NET Remoting over HTTP using Deserialisation March 26, 2019
  • More research on .NET deserialization December 19, 2018
  • Feel honoured to be there again after 8 years: Top 10 Web Hacking Techniques of 2017 December 19, 2018
  • Story of my two (but actually three) RCEs in SharePoint in 2018 December 19, 2018
  • ASP.NET resource files (.RESX) and deserialization issues August 12, 2018
  • MS 2018 Q4 – Top 5 Bounty Hunter for 2 RCEs in SharePoint Online August 12, 2018

Archives

  • October 2020 (1)
  • September 2019 (1)
  • August 2019 (1)
  • July 2019 (1)
  • May 2019 (2)
  • April 2019 (3)
  • March 2019 (1)
  • December 2018 (3)
  • August 2018 (4)
  • February 2018 (2)
  • September 2017 (1)
  • August 2017 (3)
  • May 2017 (1)
  • October 2016 (1)
  • June 2015 (1)
  • March 2015 (1)
  • February 2015 (2)
  • August 2014 (1)
  • July 2014 (2)
  • May 2014 (1)
  • April 2014 (1)
  • January 2014 (1)
  • October 2013 (3)
  • September 2013 (2)
  • April 2013 (1)
  • March 2013 (1)
  • November 2012 (2)
  • October 2012 (1)
  • August 2012 (1)
  • June 2012 (5)
  • April 2012 (2)
  • December 2011 (1)
  • May 2011 (1)
  • March 2011 (1)
  • January 2011 (2)
  • December 2010 (5)
  • September 2010 (1)
  • August 2010 (4)
  • July 2010 (1)
  • June 2010 (2)
  • May 2010 (3)
  • March 2010 (2)
  • January 2010 (2)
  • December 2009 (4)
  • November 2009 (5)
  • August 2009 (1)
  • February 2009 (1)
  • January 2009 (20)
  • December 2008 (1)

Blog Tags

  • Anti-XSS bypass
  • AntiXSS bypass
  • ASP.NET
  • bug bounty
  • bypass
  • Challenge
  • computer science vulnerabilities
  • Critical vulnerabilities
  • CSRF
  • CSRF Attacks
  • deserialisation
  • deserialization
  • Exploit
  • ExternalInterface
  • FaceBook MobWars Cheat
  • file upload
  • file upload bypass
  • file uploader bypass methods
  • file uploader security bypass
  • flash
  • flash xss
  • hacking videos
  • iis
  • IIS File Extension Security Bypass
  • Javascript
  • logical flaw
  • Microsoft IIS Vulnerability
  • penetration testing
  • Privacy
  • RCE
  • request encoding
  • sharepoint
  • travian game
  • travian hack
  • travian online game
  • Unrestricted File Download
  • Unrestricted File Upload
  • WAF bypass
  • web.config
  • weblogs
  • website vulnerability
  • XSRF
  • XSS
  • XSS Vulnerability
  • ysoserial.net

RSS Web Security Research

  • CVE-2021-45467: CWP CentOS Web Panel – preauth RCE January 22, 2022
  • Vote for the Top 10 web hacking techniques of 2021 January 17, 2022
  • Crazy Session Hijack in Moodle January 12, 2022
  • Exploiting URL Parsing Confusion Vulnerabilities January 11, 2022
  • Nominations are now open for the top 10 new web hacking techniques of 2021 January 5, 2022
  • Malicious-pdf: Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator - test that uploaded file processing January 4, 2022
  • Attacking Java RMI via SSRF January 2, 2022
  • PHP LFI with Nginx Assistance December 27, 2021
  • uBlock, I exfiltrate: exploiting ad blockers with CSS December 6, 2021
  • Data Exfiltration via CSS + SVG Font November 29, 2021

RSS reddit.com netsec Channel Feed

  • CVE-2022-0185: Detecting and mitigating Linux Kernel vulnerability causing container escape January 21, 2022
  • The best free, open-source supply-chain security tool? The lockfile January 21, 2022
  • Captain Hook - How (not) to look for vulnerabilities in Java applications January 21, 2022
  • A Detailed Analysis of WhisperGate Targeting Ukrainian Organizations January 20, 2022
  • Pentest Collaboration Framework: tool which will help you to store/modify/share information about pentest/web analysis projects. OpenSource, Portable, CrossPlatform & completely free! Supports integration with 15 tools & user-defined report generation. For several teams: seperated workspaces! January 20, 2022

RSS SecurityFocus Feed

RSS Exploit-DB Feed

  • [webapps] uDoctorAppointment v2.1.1 - 'Multiple' Cross Site Scripting (XSS)
  • [webapps] Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS)
  • [webapps] Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS)
  • [remote] Archeevo 5.0 - Local File Inclusion
  • [webapps] OpenBMCS 2.4 - Cross Site Request Forgery (CSRF)
Privacy Policy Proudly powered by WordPress