Posted February 12 2011
A series of regex-writing challenges.
A series of XSS challenges: here's some unsafe code; exploit it! Shortest code wins.
I needed some valid SWF files with constrained character sets for an injection PoC. Putting them here in case someone else needs some.
This one is technically not a valid SWF file, but undefined tags are ignored by the player, so it still works. The invalid chunks are needed to get around the fact that the push opcode (0x96) used to introduce string constants can only appear as part of a utf-8 sequence.
This one avoids constants altogether by spinning its own strings out of pieces of fluff it finds lying around: The current time stamp xored with itself is 0. The length of "0" is 1. From there, you can use + to create the other positive integers, then pass them to ActionAsciiToChar to create the strings you need.