XSS exploitation tool - access victims through HTTP proxy
Mosquito is a XSS exploitation tool allowing an attacker to set up a HTTP proxy and leverage XSS to issue arbitrary HTTP requests through victim browser (and victim cookies).Mosquito is extremely...
View ArticleSyrian Electronic Army - Hacktivision to Cyber Espionage?
IntelCrawler, a cyber-threat intelligence company based in Los Angeles, has been investigatingthe activities of the Syrian Electronic Army (SEA) since they first surfaced in 2011. In thebeginning they...
View ArticleWordPress hosting: Do not try this at home!
Compromised WordPress blogs were used to host nearly 12,000 phishing sites in February. This represents more than 7% of all phishing attacks blocked during that month, and 11% of the unique IP...
View ArticleSlides: Concurrency: A problem and opportunity in the exploitation of memory...
Overview● Motivation● Characterization & patterns of concurrencybugs● Relevant academic studies● Bug fnding● Exploitation strategies● Constructing concurrency bugdoorsclick here to access slides...
View ArticleScout — New Tool Released
Description: Uses the Pinpoint engine to download and analyze webpage components to identify infected files. Scout has a built-in HTTP Request Simulator that will render user-specified HTML files,...
View ArticleWe may have witnessed a NSA "Shotgiant" TAO-like action
Last Friday, the New York Times reported that the NSA has hacked/infiltrated Huawei, a big Chinese network hardware firm. We may have witnessed something related to this.red...
View ArticleOpen NTP Version (Mode 6) Scanning Project
If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at NTP.The Shadowserver Foundation is currently undertaking a...
View ArticleNew Vulnerabilities in Firefox for Android: Overtaking Firefox Profiles
We have recently discovered a series of vulnerabilities in Firefox for Android that allows a malicious application to leak sensitive information pertaining to the user profile. We developed attacks...
View ArticleIntroducing Viper
Viper is the code-name of an experimental tool I've been slowly putting together in the last months. The fundamental idea is having a unified framework to facilitate the process of creating and using...
View ArticleReversing the Dropcam Part 1: Wireless and network communications
The "Internet of Things" marketplace has been blowing up recently, and towards the end of last year we began seeing a lot of demand for security assessments of these types of platforms. To practice, we...
View ArticleWhite Paper: Less Than Zero: A Survey of Zero-day Attacks in 2013 and What...
click here to access paper in its entirety....http://www.fireeye.com/resources/pdfs/white-papers/fireeye-zero-day-attacks-in-2013.pdf
View ArticleCF-Auto-Root Courtesy of Chainfire
Roots the Samsung Galaxy S 5 SM-G900F ahead of release. Click here....http://forum.xda-developers.com/showthread.php?t=2696537
View ArticleWriting Your Own Remote Key Logger in C
click here to read more....http://www.gironsec.com/blog/2014/03/writing-your-own-keylogger-in-c/
View ArticleThe Immutability of FIPS
In addition to the problems with Dual EC DRBG that have now been well documented[1], it is apparent to many of us in the clear bright light of the Snowden revelations that quite a few things that were...
View ArticleHTML5 Security Cheatsheet
This is the new home of the H5SC or HTML5 Security Cheatsheet. Here you will find three things:A collection of HTML5 related XSS attack vectorsA set of useful files for XSS testingA set of formerly...
View ArticleFandango, Credit Karma Settle FTC Charges that They Deceived Consumers By...
Two companies have agreed to settle Federal Trade Commission charges that they misrepresented the security of their mobile apps and failed to secure the transmission of millions of consumers’ sensitive...
View ArticlePaper: The Mobile Cybercriminal Underground Market in China
Places in the Internet where cybercriminals converge to sell and buy different products and servicesexist. Instead of creating their own attack tools from scratch, they can instead purchase what...
View ArticlePaper: Testing the Security of IPv6 Implementations
IPv6 deployment has been steadily increasing over the past couple of years. In order to enable asafe and secure deployment of IPv6 the security impact of implementation problems requires the...
View ArticleHeap Overflow in YAML URI Escape Parsing (CVE-2014-2525)
There is an overflow in URI escape parsing in Ruby. This vulnerability has been assigned the CVE identifier CVE-2014-2525.DetailsAny time a string in YAML with tags is parsed, a specially crafted...
View ArticlePoC: End-to-end correlation for Tor connections using an active timing attack
This is a very simple implementation of an active timing attack on Tor. Please note thatthe Tor developers are aware of issues like this –https://blog.torproject.org/blog/one-cell-enough states:The Tor...
View Article