lecture: Non-Esoteric XSS Tips & Tricks

Event large

Cross-Site Scripting (XSS) is (still) one of the most prevalent security vulnerabilities typicially found in web applications. Altough often trivialized, it is used in sofisticated "below-the-radar" attacks against criticial users (e.g. administrators). Well prepared spear-phishing emails containing the related exploit will bring down the biggest targets down to knees with a single click (e.g. ubuntuforums.org, apache.org, etc.). While searching for the vulnerability, the ultimate goal of the penetration tester is to "pop" the dialog box containing the custom message (e.g. XSS), thus proving that the arbitrary Javascript code can be executed in the context of the vulnerable web application. In this talk wide variety of cases will be presented together with non-esoteric ways of exploitation based on real-life experience gathered by popping the dialogs around.


Day: 2016-09-15
Start time: 14:00
Duration: 00:45
Room: Main Stage
Track: Offense
Language: en


Concurrent Events