Misconfiguration in a bottle: Symfony Profiler exposed

Char49 recently discovered a security misconfiguration on a subdomain of an American multinational corporation (Top50 on the Fortune500) website: an exposed Symfony web framework debug endpoint leaking sensitive information.

In a nutshell, exposing Symfony Profile or any other web framework debug...

Flash XSS on typewrite_header.swf

Our lab found a interesting XSS on a .swf file that we later discover was mainly used on phishing websites.

Source code of typewrite_header.swf:

//Frame 3