Selasa, 14 Agustus 2007

Scanning with Flash

Thanks to Rsnake I learned of a proof of concept for Flash scanning.



I had to enable Javascript and have Adobe Flash installed. I used Firefox within Ubuntu 6.10. In the traffic you can see my host sending the following after finishing the three way handshake.


09:31:34.348028 IP 192.168.2.8.44235 > 10.1.13.4.21:
P 1:24(23) ack 1 win 1460
0x0000: 4500 004b 1f24 4000 4006 41d4 c0a8 0208 E..K.$@.@.A.....
0x0010: 0a01 0d04 accb 0015 f31e fbd2 a8ce 608e ..............`.
0x0020: 8018 05b4 df9f 0000 0101 080a 0018 e4f5 ................
0x0030: ea84 369b 3c70 6f6c 6963 792d 6669 6c65 ..6. 0x0040: 2d72 6571 7565 7374 2f3e 00 -request/>.

More to come, I'm sure.

On a related note, read Same-Origin Policy Part 1: Why we’re stuck with things like XSS and XSRF/CSRF by Justin Schuh and XSRF^2 by Dan Kaminsky.

0 komentar:

Posting Komentar