Attacking JAVA Serialized Communication
Technique to perform penetration testing of JAVA Serialized Objects

Download

This whitepaper introduces a new technique to intercept JAVA Serialized communication and modify it to perform penetration testing with almost the same ease as testing regular web applications. This technique is more efficient than the currently used methods. It will give the penetration tester the same control and power that an application developer has without most of the drawbacks that are present in the current methods used for testing applications communicating via Serialized Objects.

Google Gears for Attackers
Data Theft and Backdoor Placement Attacks on Google Gears’ Users

Download

Users of Google Gears face serious threats from attacks that could steal all their offline data and place permanent backdoors on their machines. This whitepaper introduces the readers to Google Gears and provides a detailed coverage of the various attacks that are possible. These range from stealing the victim’s MySpace and Gmail ‘inbox’s to seven different techniques for placing backdoors. References to 0days and actual implementations of Google Gears by popular sites are provided. The attacks discussed in this whitepaper can be performed using Imposter.

Flash+IE=Prison Break
Stealing Local Files through the Flash Plugin in IE

Download

Content running in the browser usually cannot access the local file system but there are exceptions. This whitepapers discusses a new attack by which an attacker can transfer files from the local file system of victims using Internet Explorer. Details on how this attack works and the components involved are provided. This attack can be performed using Imposter.

Split and Join
Bypassing Web Application Firewalls with HTTP Parameter Pollution

Download

Web Application firewalls are becoming a critical component in the Web Security space. This whitepaper discusses a new technique to be bypass Web Application Firewalls and perform SQL Injection attacks on ASP/ASP.NET applications. The technique is backed up with a vulnerability on ModSecurity.