SlideShare a Scribd company logo

Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013

Download as PPTX, PDF
Ajin Abraham, profile picture
Ajin Abraham

This document discusses using a web shell proxy to serve malicious JavaScript files to victims attempting to access legitimate sites like Facebook.com, exploiting cross-site scripting (XSS) vulnerabilities without the need to directly hack the target sites' servers. The proxy intercepts requests and responds with payloads that can then attack the victims.

Technology
1 of 6
Downloaded 184 times
1
2
3
4
5
6
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
• • • •
START
Xenotix HTTP Web Shell Proxy Web Server ATTACKER VICTIM GET http://facebook.com Serve the JavaScript File Facebook.com HTML page contents FB’s Server
SO.... Never Under Estimate the Power of XSS
ajinabrahamofficial ajinabrahamofficial ajinabraham ajinabraham ajin.abraham@owasp.org

More Related Content

PPT
Website Research
MattCheetham
 
PDF
Node JS reverse shell
Madhu Akula
 
PDF
How to find Zero day vulnerabilities
Mohammed A. Imran
 
DOCX
Zero-Day Vulnerability and Heuristic Analysis
Ahmed Banafa
 
PDF
Xenotix XSS Exploit Framework: Clubhack 2012
Ajin Abraham
 
PDF
Null Singapore 2015 accomplishments
Mohammed A. Imran
 
PDF
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
Ajin Abraham
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Website Research
MattCheetham
 
Node JS reverse shell
Madhu Akula
 
How to find Zero day vulnerabilities
Mohammed A. Imran
 
Zero-Day Vulnerability and Heuristic Analysis
Ahmed Banafa
 
Xenotix XSS Exploit Framework: Clubhack 2012
Ajin Abraham
 
Null Singapore 2015 accomplishments
Mohammed A. Imran
 
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
Ajin Abraham
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 

More from Ajin Abraham (20)

PDF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
PDF
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
PDF
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
PPTX
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
PDF
Hacking Tizen: The OS of everything - Whitepaper
Ajin Abraham
 
PPTX
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
PPTX
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
PPTX
Abusing Google Apps and Data API: Google is My Command and Control Center
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
 
PPTX
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Ajin Abraham
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Ajin Abraham
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
PDF
Wi-Fi Security with Wi-Fi P+
Ajin Abraham
 
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Hacking Tizen: The OS of everything - Whitepaper
Ajin Abraham
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
Abusing Google Apps and Data API: Google is My Command and Control Center
Ajin Abraham
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Ajin Abraham
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
 
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Ajin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Ajin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
Wi-Fi Security with Wi-Fi P+
Ajin Abraham
 
Ad

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Cloud computing and distributed systems.
kkkkkhan
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
KodekX | Application Modernization Development
KodekX
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Ad

Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013