Manuel Caballero
Independent Security Researcher


I am still building the page. You know, when you are in the business of security it is very difficult to find the time to build your own page. But I will (or I will get a CMS!)
In the meantime, if you need to contact me, do it at

Hacking, Security Research, and Penetration Testing is what I do.

Question everything. No evidence? Don't believe it.


The word "crack" has many meanings, and some of them are not that good (at least for me). In this case, cracking only means breaking software, but breaking it for good! I help software companies to improve the security of their applications by inspecting them closely legally. I am not related in any way to "cracking" or software piracy. Buy the software or use real free versions.


BlueHat Talk Abstract

[Silverlight - Flash] Unweaving Silverlight from Flash by Fukami

New browser plug-in technology needs to be very secure, maybe even more secure than already existing solutions. The question is if there's something to be learnt from other implementations of a similar technology, especially learning from its mistakes and weaknesses. Does Silverlight deserve to be called "Silverstrong" because of its security? The second part of the talk will focus on a step by step analysis comparing the security of Silverlight and Flash. Similarities and differences such as security sandboxes, requests and sockets handling, cross domain policies and persistent storage will be discussed and attack scenarios will be described.

[Web Browsers] A Resident in my Domain by Manuel Caballero

Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including where (location) you are surfing, what you are typing (passwords included) and even guess your next move. No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross domain. Also, we go through a step by step approach on how to find cross domains and a resident scripts.

Post about Silverlight 3.0 [Host SL Communication Pentest] Stainless steel bridge

Post about BlueHat BA / Resident Scripts Do you believe in ghosts?

Manuel Caballero

Caida Cabello Reverse Engineering 1 Reverse Engineering 2 Reverse Engineering 3 Reverse Engineering 4 Reverse Engineering 5