Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013

Ajin Abraham
Security Engineer | Freelance Security Consultant | Speaker at IMMUNIO
Aug. 20, 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
1 of 6

Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013

Aug. 20, 2013
Download to read offline
Technology

A Glimpse through V4 of OWASP Xenotix XSS Exploit Framework

Ajin Abraham
Security Engineer | Freelance Security Consultant | Speaker at IMMUNIO

Recommended

Website ResearchWebsite Research
Website ResearchMattCheetham358 views11 slides
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula4.9K views23 slides
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran2.6K views53 slides
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisAhmed Banafa1.3K views4 slides
Xenotix XSS Exploit Framework: Clubhack 2012 Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012 Ajin Abraham3.9K views26 slides
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsMohammed A. Imran1.1K views10 slides

More Related Content

More from Ajin Abraham

Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham3.1K views9 slides
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham3K views56 slides
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham22.8K views38 slides
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham66.1K views38 slides
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham26K views24 slides
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham10K views18 slides

More from Ajin Abraham(20)

Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham3.1K views
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham3K views
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham22.8K views
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham66.1K views
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham26K views
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham10K views
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham8K views
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
Ajin Abraham3.8K views
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham7K views
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham5.7K views
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham4.6K views
Abusing Google Apps and Data API: Google is My Command and Control CenterAbusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control Center
Ajin Abraham8.7K views
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham3.1K views
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Ajin Abraham5K views
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham1.9K views
Exploit Research and Development Megaprimer: Buffer overflow for beginnersExploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Ajin Abraham1.4K views
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Ajin Abraham3.6K views
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham8.5K views
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
Ajin Abraham2.4K views
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham3.4K views

Recently uploaded

NTGapps DTB Platform.pdfNTGapps DTB Platform.pdf
NTGapps DTB Platform.pdfMustafa Kuğu165 views27 slides
OpenFOAM benchmark for EPYC server: cavity mediumOpenFOAM benchmark for EPYC server: cavity medium
OpenFOAM benchmark for EPYC server: cavity mediumtakuyayamamoto180031 views31 slides
Sell&Buy.pdfSell&Buy.pdf
Sell&Buy.pdfDanielle9510955 views11 slides
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdfDiogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdf
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdfDiogoMonteiro78696022 views1 slide
FewShotExamples.pptxFewShotExamples.pptx
FewShotExamples.pptxAlok Ranjan20 views3 slides
Testing and Developing GraphQL APIsTesting and Developing GraphQL APIs
Testing and Developing GraphQL APIsPostman21 views14 slides

Recently uploaded(20)

NTGapps DTB Platform.pdfNTGapps DTB Platform.pdf
NTGapps DTB Platform.pdf
Mustafa Kuğu165 views
OpenFOAM benchmark for EPYC server: cavity mediumOpenFOAM benchmark for EPYC server: cavity medium
OpenFOAM benchmark for EPYC server: cavity medium
takuyayamamoto180031 views
Sell&Buy.pdfSell&Buy.pdf
Sell&Buy.pdf
Danielle9510955 views
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdfDiogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdf
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdf
DiogoMonteiro78696022 views
FewShotExamples.pptxFewShotExamples.pptx
FewShotExamples.pptx
Alok Ranjan20 views
Testing and Developing GraphQL APIsTesting and Developing GraphQL APIs
Testing and Developing GraphQL APIs
Postman21 views
Orbyfy Grid e-Services_vFx.pdfOrbyfy Grid e-Services_vFx.pdf
Orbyfy Grid e-Services_vFx.pdf
Orbyfy19 views
What's Coming in CloudStack 4.19What's Coming in CloudStack 4.19
What's Coming in CloudStack 4.19
ShapeBlue122 views
dvss.pptdvss.ppt
dvss.ppt
SaikrishnaCheruvu1354 views
OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...
OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...
takuyayamamoto180014 views
GDSC23 - Info Session GDSC KIET (1).pptxGDSC23 - Info Session GDSC KIET (1).pptx
GDSC23 - Info Session GDSC KIET (1).pptx
SnehaAggarwal40119 views
A new era of Wi-Fi has arrivedA new era of Wi-Fi has arrived
A new era of Wi-Fi has arrived
Adtran67 views
How SACCOs can increase their memberships AD_compressed (1).pdfHow SACCOs can increase their memberships AD_compressed (1).pdf
How SACCOs can increase their memberships AD_compressed (1).pdf
CoretecDigital75 views
ECE ANURANAN 2023ECE ANURANAN 2023
ECE ANURANAN 2023
Bishal20Hazarika103448 views
NoSQL Database Migration Masterclass - Session 2: The Anatomy of a MigrationNoSQL Database Migration Masterclass - Session 2: The Anatomy of a Migration
NoSQL Database Migration Masterclass - Session 2: The Anatomy of a Migration
ScyllaDB31 views
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
DianaGray1048 views
Future of Virtual realityFuture of Virtual reality
Future of Virtual reality
mdpavel413 views
GDSC_Info_Session_KITTiptur.pptxGDSC_Info_Session_KITTiptur.pptx
GDSC_Info_Session_KITTiptur.pptx
RadhikaNA38 views
AI and ML Series - Introduction to Generative AI and LLMs - Session 1AI and ML Series - Introduction to Generative AI and LLMs - Session 1
AI and ML Series - Introduction to Generative AI and LLMs - Session 1
DianaGray10179 views
Daily Scrum, Sprint Review & Retrospective.pptxDaily Scrum, Sprint Review & Retrospective.pptx
Daily Scrum, Sprint Review & Retrospective.pptx
Md. Rakib Trofder90 views

Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013

  1. • • • •
  2. START
  3. Xenotix HTTP Web Shell Proxy Web Server ATTACKER VICTIM GET http://facebook.com Serve the JavaScript File Facebook.com HTML page contents FB’s Server
  4. SO.... Never Under Estimate the Power of XSS
  5. ajinabrahamofficial ajinabrahamofficial ajinabraham ajinabraham ajin.abraham@owasp.org