Abstract image of a woman sitting on books and studying on a laptop

XSS Lightning talk

Johnny Vestergaard, profile picture
Johnny Vestergaard

This document summarizes a lightning talk on cross-site scripting (XSS) attacks. It defines XSS as the injection of malicious JavaScript onto a website with the intent of client-side execution. There are three main types of XSS attacks: reflected, persistent, and DOM-based. The talk focuses on persistent XSS attacks. It provides examples of how XSS could be used to scan local networks, steal user sessions through cookie theft, and gain complete control of the vulnerable webpage. The document concludes by recommending tools and resources for learning more about conducting white hat XSS testing.

EducationTechnologyDesign
1 of 10
Download to read offline
1
2
3
4
5
6
7
8
9
10
March 2012 Introduction to Cross Site Scripting  Lightning talk held at OSAA Johnny Vestergaard <jkv@unixcluster.dk> http://dk.linkedin.com/in/johnnykv
XSS - Cross Site Scripting Worst name ever?? ● Think of it as "JavaScript Injection". ○ (and ignore the haters) ● Injection of malicious JavaScript on a site with the intend of client side execution. ● Three types: Reflected, Persistent and DOM based. ● We will focus on Persistent XSS tonight.
Safe website
Vulnerable website
Hey - it's just client side!
Having a client side party ● Possibilities ○ Host scanning of client-side LAN ○ Session takeover (cookie stealing) ○ Eavesdropping ■ Keylogging ■ Events ○ Complete control of the page ● Limitations ○ Confined to the browser
Demo ● Keylogger using metasploit ● Cookie stealer with python backend
Demo #1 -  Keylogger with metasploit
Demo #2 -  The Cookie Monster https://gist.github.com/1968842
Do it yourself Whitehat style ● Backtrack 5 ○ http://www.backtrack-linux.org/ ● OWASP Broken Web Applications Project ○ VMware image with broken web apps ○ http://bit.ly/yNsF9K ● Cookie Monster ○ http://gist.github.com/1968842 ● Slides ○ http://www.slideshare.net/JohnnyKV/

More Related Content

PDF
Grunt Advanced Vol 2, Plugins Text I/O with fun
David Amend
 
PDF
Xss and sql injection
Bhuridech Sudsee
 
PDF
Real world blockchains
Dmitry Meshkov
 
PDF
Security in PHP Applications: An absolute must!
Mark Niebergall
 
PDF
Google country day_intervento
firenze-gtug
 
PPTX
Blockchain Overview
Eugene Yang
 
PPTX
Password Managers - Lastpass
Bertold Kolics
 
PDF
9. blocks - programing bitcoin
Harry Oh
 
Grunt Advanced Vol 2, Plugins Text I/O with fun
David Amend
 
Xss and sql injection
Bhuridech Sudsee
 
Real world blockchains
Dmitry Meshkov
 
Security in PHP Applications: An absolute must!
Mark Niebergall
 
Google country day_intervento
firenze-gtug
 
Blockchain Overview
Eugene Yang
 
Password Managers - Lastpass
Bertold Kolics
 
9. blocks - programing bitcoin
Harry Oh
 

Viewers also liked (14)

PDF
Dv könnun um stjórnlagaþingið3
Thorri
 
DOC
Lttt
Bao Luong
 
PPTX
The Future of Internet Marketing
Hunter Willis
 
PDF
Slides til TCP/IP workshop afholdt i Odense, November 2012
Johnny Vestergaard
 
PDF
Hacking Demystified, Campus Vejle
Johnny Vestergaard
 
PPT
Cost vs. Value Webinar Slides
Realtormag
 
PPT
1 st habit
Tatevik Ohanyan
 
PPT
Online and Mobile Media: Week 12 - Future of Journalism
AngelicaAbano
 
PPTX
CinthiaVillarreal
home
 
PPT
March 22 2012 costvs value_final
Realtormag
 
PDF
SANS xmas 2011 Hacking Submission
Johnny Vestergaard
 
PPTX
Seo Webinar_Realtormag_bostonlogic
Realtormag
 
PPT
Cost vs. Value Webinar Slides
Realtormag
 
PDF
English grammer in use
annafeu
 
Dv könnun um stjórnlagaþingið3
Thorri
 
Lttt
Bao Luong
 
The Future of Internet Marketing
Hunter Willis
 
Slides til TCP/IP workshop afholdt i Odense, November 2012
Johnny Vestergaard
 
Hacking Demystified, Campus Vejle
Johnny Vestergaard
 
Cost vs. Value Webinar Slides
Realtormag
 
1 st habit
Tatevik Ohanyan
 
Online and Mobile Media: Week 12 - Future of Journalism
AngelicaAbano
 
CinthiaVillarreal
home
 
March 22 2012 costvs value_final
Realtormag
 
SANS xmas 2011 Hacking Submission
Johnny Vestergaard
 
Seo Webinar_Realtormag_bostonlogic
Realtormag
 
Cost vs. Value Webinar Slides
Realtormag
 
English grammer in use
annafeu
 
Ad

Similar to XSS Lightning talk (20)

DOC
HallTumserFinalPaper
Daniel Tumser
 
PPT
144205230-Cross-Site-Scripting-XSS-ppt.ppt
SyedAliShahid3
 
PPTX
Cross site scripting
kinish kumar
 
PPTX
Web 2.0 PPT
yogendra singh chahar
 
PPTX
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
PDF
Cross site scripting
n|u - The Open Security Community
 
PPTX
Cross site scripting (xss)
Ritesh Gupta
 
PPT
Xssandcsrf
Prabhanshu Saraswat
 
PPTX
Xss
Rajendra Dangwal
 
KEY
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
PPTX
Identifying XSS Vulnerabilities
n|u - The Open Security Community
 
PPTX
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
VikasTuwar1
 
PPTX
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
PDF
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET Journal
 
PPTX
Post XSS Exploitation : Advanced Attacks and Remedies
Adwiteeya Agrawal
 
PDF
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
PPTX
What is xss, blind xss and xploiting google gadgets
Ziv Ginsberg
 
PDF
Is XSS Solvable?
dankney
 
PPT
Cross Site scripting Attacks - by Adam Nurudini
Adam Nurudini
 
PPTX
Xss attack
Manjushree Mashal
 
HallTumserFinalPaper
Daniel Tumser
 
144205230-Cross-Site-Scripting-XSS-ppt.ppt
SyedAliShahid3
 
Cross site scripting
kinish kumar
 
Web 2.0 PPT
yogendra singh chahar
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Cross site scripting
n|u - The Open Security Community
 
Cross site scripting (xss)
Ritesh Gupta
 
Xssandcsrf
Prabhanshu Saraswat
 
Xss
Rajendra Dangwal
 
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
Identifying XSS Vulnerabilities
n|u - The Open Security Community
 
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
VikasTuwar1
 
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET Journal
 
Post XSS Exploitation : Advanced Attacks and Remedies
Adwiteeya Agrawal
 
Introduction to Cross Site Scripting ( XSS )
Irfad Imtiaz
 
What is xss, blind xss and xploiting google gadgets
Ziv Ginsberg
 
Is XSS Solvable?
dankney
 
Cross Site scripting Attacks - by Adam Nurudini
Adam Nurudini
 
Xss attack
Manjushree Mashal
 
Ad

Recently uploaded (20)

DOCX
Cambridge-Practice-Tests-for-IELTS-12.docx
ssuser0d93ff
 
PPTX
Share_Module_2_Power_conflict_and_negotiation.pptx
Lavanyaj33
 
PDF
HVAC Specification 2024 according to central public works department
amitrobanipl
 
PPTX
Virtual and Augmented Reality in Current Scenario
Shruti Dalela
 
PDF
BP 704 T. NOVEL DRUG DELIVERY SYSTEMS (UNIT 1)
CMEmpire
 
PDF
Vision Prelims GS PYQ Analysis 2011-2022 www.upscpdf.com.pdf
navneetgupta711851
 
PDF
FOISHS ANNUAL IMPLEMENTATION PLAN 2025.pdf
EllenJoyCaniya2
 
PDF
1.3 FINAL REVISED K-10 PE and Health CG 2023 Grades 4-10 (1).pdf
JohnJerryDalawampu
 
PDF
Journal of Dental Science - UDMY (2021).pdf
Nay Aung
 
PPTX
Core Concepts of Personalized Learning and Virtual Learning Environments
Dr. Bushra Sumaiya
 
PDF
LIFE & LIVING TRILOGY - PART - (2) THE PURPOSE OF LIFE.pdf
sureshkumarsoni26
 
PDF
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 
PDF
BP 505 T. PHARMACEUTICAL JURISPRUDENCE (UNIT 2).pdf
CMEmpire
 
PDF
LIFE & LIVING TRILOGY - PART (3) REALITY & MYSTERY.pdf
sureshkumarsoni26
 
PDF
BP 505 T. PHARMACEUTICAL JURISPRUDENCE (UNIT 1).pdf
CMEmpire
 
PDF
Complications of Minimal Access-Surgery.pdf
Laparoscopy Hospital
 
PPTX
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
PDF
MBA _Common_ 2nd year Syllabus _2021-22_.pdf
DrAnubha4
 
PDF
Uderstanding digital marketing and marketing stratergie for engaging the digi...
afreenpeshmam
 
PPTX
ELIAS-SEZIURE AND EPilepsy semmioan session.pptx
eyoba2172
 
Cambridge-Practice-Tests-for-IELTS-12.docx
ssuser0d93ff
 
Share_Module_2_Power_conflict_and_negotiation.pptx
Lavanyaj33
 
HVAC Specification 2024 according to central public works department
amitrobanipl
 
Virtual and Augmented Reality in Current Scenario
Shruti Dalela
 
BP 704 T. NOVEL DRUG DELIVERY SYSTEMS (UNIT 1)
CMEmpire
 
Vision Prelims GS PYQ Analysis 2011-2022 www.upscpdf.com.pdf
navneetgupta711851
 
FOISHS ANNUAL IMPLEMENTATION PLAN 2025.pdf
EllenJoyCaniya2
 
1.3 FINAL REVISED K-10 PE and Health CG 2023 Grades 4-10 (1).pdf
JohnJerryDalawampu
 
Journal of Dental Science - UDMY (2021).pdf
Nay Aung
 
Core Concepts of Personalized Learning and Virtual Learning Environments
Dr. Bushra Sumaiya
 
LIFE & LIVING TRILOGY - PART - (2) THE PURPOSE OF LIFE.pdf
sureshkumarsoni26
 
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 
BP 505 T. PHARMACEUTICAL JURISPRUDENCE (UNIT 2).pdf
CMEmpire
 
LIFE & LIVING TRILOGY - PART (3) REALITY & MYSTERY.pdf
sureshkumarsoni26
 
BP 505 T. PHARMACEUTICAL JURISPRUDENCE (UNIT 1).pdf
CMEmpire
 
Complications of Minimal Access-Surgery.pdf
Laparoscopy Hospital
 
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
MBA _Common_ 2nd year Syllabus _2021-22_.pdf
DrAnubha4
 
Uderstanding digital marketing and marketing stratergie for engaging the digi...
afreenpeshmam
 
ELIAS-SEZIURE AND EPilepsy semmioan session.pptx
eyoba2172
 

XSS Lightning talk

  • 1. March 2012 Introduction to Cross Site Scripting  Lightning talk held at OSAA Johnny Vestergaard <jkv@unixcluster.dk> http://dk.linkedin.com/in/johnnykv
  • 2. XSS - Cross Site Scripting Worst name ever?? ● Think of it as "JavaScript Injection". ○ (and ignore the haters) ● Injection of malicious JavaScript on a site with the intend of client side execution. ● Three types: Reflected, Persistent and DOM based. ● We will focus on Persistent XSS tonight.
  • 5. Hey - it's just client side!
  • 6. Having a client side party ● Possibilities ○ Host scanning of client-side LAN ○ Session takeover (cookie stealing) ○ Eavesdropping ■ Keylogging ■ Events ○ Complete control of the page ● Limitations ○ Confined to the browser
  • 7. Demo ● Keylogger using metasploit ● Cookie stealer with python backend
  • 8. Demo #1 -  Keylogger with metasploit
  • 9. Demo #2 -  The Cookie Monster https://gist.github.com/1968842
  • 10. Do it yourself Whitehat style ● Backtrack 5 ○ http://www.backtrack-linux.org/ ● OWASP Broken Web Applications Project ○ VMware image with broken web apps ○ http://bit.ly/yNsF9K ● Cookie Monster ○ http://gist.github.com/1968842 ● Slides ○ http://www.slideshare.net/JohnnyKV/