Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013

•Télécharger en tant que PPTX, PDF•

5 j'aime•10,299 vues

A Glimpse through V4 of OWASP Xenotix XSS Exploit Framework

•
•
•
•

START

Xenotix HTTP Web Shell
Proxy
Web Server
ATTACKER
VICTIM
GET http://facebook.com
Serve the
JavaScript
File
Facebook.com HTML page contents
FB’s
Server

SO....
Never Under Estimate
the Power of XSS

ajinabrahamofficial
ajinabrahamofficial
ajinabraham
ajinabraham
ajin.abraham@owasp.org

Recommandé

Website Research

Website Research

Website ResearchMattCheetham

Node JS reverse shell

Node JS reverse shell

Node JS reverse shellMadhu Akula

How to find Zero day vulnerabilities

How to find Zero day vulnerabilities

How to find Zero day vulnerabilitiesMohammed A. Imran

Zero-Day Vulnerability and Heuristic Analysis

Zero-Day Vulnerability and Heuristic Analysis

Zero-Day Vulnerability and Heuristic AnalysisAhmed Banafa

Xenotix XSS Exploit Framework: Clubhack 2012

Xenotix XSS Exploit Framework: Clubhack 2012

Xenotix XSS Exploit Framework: Clubhack 2012 Ajin Abraham

Null Singapore 2015 accomplishments

Null Singapore 2015 accomplishments

Null Singapore 2015 accomplishmentsMohammed A. Imran

OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013

OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013

OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013Ajin Abraham

A2 - broken authentication and session management(OWASP thailand chapter Apri...

A2 - broken authentication and session management(OWASP thailand chapter Apri...

A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew

Recommandé

Website Research

Website Research

Website ResearchMattCheetham

Node JS reverse shell

Node JS reverse shell

Node JS reverse shellMadhu Akula

How to find Zero day vulnerabilities

How to find Zero day vulnerabilities

How to find Zero day vulnerabilitiesMohammed A. Imran

Zero-Day Vulnerability and Heuristic Analysis

Zero-Day Vulnerability and Heuristic Analysis

Zero-Day Vulnerability and Heuristic AnalysisAhmed Banafa

Xenotix XSS Exploit Framework: Clubhack 2012

Xenotix XSS Exploit Framework: Clubhack 2012

Xenotix XSS Exploit Framework: Clubhack 2012 Ajin Abraham

Null Singapore 2015 accomplishments

Null Singapore 2015 accomplishments

Null Singapore 2015 accomplishmentsMohammed A. Imran

OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013

OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013

OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013Ajin Abraham

A2 - broken authentication and session management(OWASP thailand chapter Apri...

A2 - broken authentication and session management(OWASP thailand chapter Apri...

A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew

Injecting Security into Web apps at Runtime Whitepaper

Injecting Security into Web apps at Runtime Whitepaper

Injecting Security into Web apps at Runtime WhitepaperAjin Abraham

Injecting Security into vulnerable web apps at Runtime

Injecting Security into vulnerable web apps at Runtime

Injecting Security into vulnerable web apps at RuntimeAjin Abraham

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham

Automated Security Analysis of Android & iOS Applications with Mobile Securit...

Automated Security Analysis of Android & iOS Applications with Mobile Securit...

Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham

Hacking Tizen: The OS of everything - Whitepaper

Hacking Tizen: The OS of everything - Whitepaper

Hacking Tizen: The OS of everything - WhitepaperAjin Abraham

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham

Abusing Exploiting and Pwning with Firefox Addons

Abusing Exploiting and Pwning with Firefox Addons

Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham

Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains

Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains

Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham

Abusing Google Apps and Data API: Google is My Command and Control Center

Abusing Google Apps and Data API: Google is My Command and Control Center

Abusing Google Apps and Data API: Google is My Command and Control CenterAjin Abraham

Exploit Research and Development Megaprimer: Win32 Egghunter

Exploit Research and Development Megaprimer: Win32 Egghunter

Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Ajin Abraham

Exploit Research and Development Megaprimer: Unicode Based Exploit Development

Exploit Research and Development Megaprimer: Unicode Based Exploit Development

Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham

Exploit Research and Development Megaprimer: Buffer overflow for beginners

Exploit Research and Development Megaprimer: Buffer overflow for beginners

Exploit Research and Development Megaprimer: Buffer overflow for beginnersAjin Abraham

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Ajin Abraham

Abusing, Exploiting and Pwning with Firefox Add-ons

Abusing, Exploiting and Pwning with Firefox Add-ons

Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham

Wi-Fi Security with Wi-Fi P+

Wi-Fi Security with Wi-Fi P+

Wi-Fi Security with Wi-Fi P+Ajin Abraham

Shellcoding in linux

Shellcoding in linux

Shellcoding in linuxAjin Abraham

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3

DSPy a system for AI to Write Prompts and Do Fine Tuning

DSPy a system for AI to Write Prompts and Do Fine Tuning

DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell

Contenu connexe

Plus de Ajin Abraham

Injecting Security into Web apps at Runtime Whitepaper

Injecting Security into Web apps at Runtime Whitepaper

Injecting Security into Web apps at Runtime WhitepaperAjin Abraham

Injecting Security into vulnerable web apps at Runtime

Injecting Security into vulnerable web apps at Runtime

Injecting Security into vulnerable web apps at RuntimeAjin Abraham

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham

Automated Security Analysis of Android & iOS Applications with Mobile Securit...

Automated Security Analysis of Android & iOS Applications with Mobile Securit...

Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham

Hacking Tizen: The OS of everything - Whitepaper

Hacking Tizen: The OS of everything - Whitepaper

Hacking Tizen: The OS of everything - WhitepaperAjin Abraham

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham

Abusing Exploiting and Pwning with Firefox Addons

Abusing Exploiting and Pwning with Firefox Addons

Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham

Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains

Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains

Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham

Abusing Google Apps and Data API: Google is My Command and Control Center

Abusing Google Apps and Data API: Google is My Command and Control Center

Abusing Google Apps and Data API: Google is My Command and Control CenterAjin Abraham

Exploit Research and Development Megaprimer: Win32 Egghunter

Exploit Research and Development Megaprimer: Win32 Egghunter

Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Ajin Abraham

Exploit Research and Development Megaprimer: Unicode Based Exploit Development

Exploit Research and Development Megaprimer: Unicode Based Exploit Development

Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham

Exploit Research and Development Megaprimer: Buffer overflow for beginners

Exploit Research and Development Megaprimer: Buffer overflow for beginners

Exploit Research and Development Megaprimer: Buffer overflow for beginnersAjin Abraham

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Ajin Abraham

Abusing, Exploiting and Pwning with Firefox Add-ons

Abusing, Exploiting and Pwning with Firefox Add-ons

Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham

Wi-Fi Security with Wi-Fi P+

Wi-Fi Security with Wi-Fi P+

Wi-Fi Security with Wi-Fi P+Ajin Abraham

Shellcoding in linux

Shellcoding in linux

Shellcoding in linuxAjin Abraham

Plus de Ajin Abraham (20)

Injecting Security into Web apps at Runtime Whitepaper

Injecting Security into Web apps at Runtime Whitepaper

Injecting Security into Web apps at Runtime Whitepaper

Injecting Security into vulnerable web apps at Runtime

Injecting Security into vulnerable web apps at Runtime

Injecting Security into vulnerable web apps at Runtime

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

Automated Security Analysis of Android & iOS Applications with Mobile Securit...

Automated Security Analysis of Android & iOS Applications with Mobile Securit...

Automated Security Analysis of Android & iOS Applications with Mobile Securit...

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015

Hacking Tizen: The OS of everything - Whitepaper

Hacking Tizen: The OS of everything - Whitepaper

Hacking Tizen: The OS of everything - Whitepaper

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Hacking Tizen : The OS of Everything - Nullcon Goa 2015

Abusing Exploiting and Pwning with Firefox Addons

Abusing Exploiting and Pwning with Firefox Addons

Abusing Exploiting and Pwning with Firefox Addons

Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains

Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains

Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains

Abusing Google Apps and Data API: Google is My Command and Control Center

Abusing Google Apps and Data API: Google is My Command and Control Center

Abusing Google Apps and Data API: Google is My Command and Control Center

Exploit Research and Development Megaprimer: Win32 Egghunter

Exploit Research and Development Megaprimer: Win32 Egghunter

Exploit Research and Development Megaprimer: Win32 Egghunter

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...

Exploit Research and Development Megaprimer: Unicode Based Exploit Development

Exploit Research and Development Megaprimer: Unicode Based Exploit Development

Exploit Research and Development Megaprimer: Unicode Based Exploit Development

Exploit Research and Development Megaprimer: Buffer overflow for beginners

Exploit Research and Development Megaprimer: Buffer overflow for beginners

Exploit Research and Development Megaprimer: Buffer overflow for beginners

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...

Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...

Abusing, Exploiting and Pwning with Firefox Add-ons

Abusing, Exploiting and Pwning with Firefox Add-ons

Abusing, Exploiting and Pwning with Firefox Add-ons

Wi-Fi Security with Wi-Fi P+

Wi-Fi Security with Wi-Fi P+

Wi-Fi Security with Wi-Fi P+

Shellcoding in linux

Shellcoding in linux

Shellcoding in linux

Dernier

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3

DSPy a system for AI to Write Prompts and Do Fine Tuning

DSPy a system for AI to Write Prompts and Do Fine Tuning

DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell

Digital Identity is Under Attack: FIDO Paris Seminar.pptx

Digital Identity is Under Attack: FIDO Paris Seminar.pptx

Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3

What is DBT - The Ultimate Data Build Tool.pdf

What is DBT - The Ultimate Data Build Tool.pdf

What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina

Artificial intelligence in cctv survelliance.pptx

Artificial intelligence in cctv survelliance.pptx

Artificial intelligence in cctv survelliance.pptxhariprasad279825

unit 4 immunoblotting technique complete.pptx

unit 4 immunoblotting technique complete.pptx

unit 4 immunoblotting technique complete.pptxBkGupta21

Ensuring Technical Readiness For Copilot in Microsoft 365

Ensuring Technical Readiness For Copilot in Microsoft 365

Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited

Moving Beyond Passwords: FIDO Paris Seminar.pdf

Moving Beyond Passwords: FIDO Paris Seminar.pdf

Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada

Take control of your SAP testing with UiPath Test Suite

Take control of your SAP testing with UiPath Test Suite

Take control of your SAP testing with UiPath Test SuiteDianaGray10

DevoxxFR 2024 Reproducible Builds with Apache Maven

DevoxxFR 2024 Reproducible Builds with Apache Maven

DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy

A Journey Into the Emotions of Software Developers

A Journey Into the Emotions of Software Developers

A Journey Into the Emotions of Software DevelopersNicole Novielli

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada

WordPress Websites for Engineers: Elevate Your Brandgvaughan

What is Artificial Intelligence?????????

What is Artificial Intelligence?????????

What is Artificial Intelligence?????????blackmambaettijean

Time Series Foundation Models - current state and future directions

Time Series Foundation Models - current state and future directions

Time Series Foundation Models - current state and future directionsNathaniel Shimoni

Gen AI in Business - Global Trends Report 2024.pdf

Gen AI in Business - Global Trends Report 2024.pdf

Gen AI in Business - Global Trends Report 2024.pdfAddepto

Sample pptx for embedding into website for demo

Sample pptx for embedding into website for demo

Sample pptx for embedding into website for demoHarshalMandlekar2

Dernier (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx

DSPy a system for AI to Write Prompts and Do Fine Tuning

DSPy a system for AI to Write Prompts and Do Fine Tuning

DSPy a system for AI to Write Prompts and Do Fine Tuning

Digital Identity is Under Attack: FIDO Paris Seminar.pptx

Digital Identity is Under Attack: FIDO Paris Seminar.pptx

Digital Identity is Under Attack: FIDO Paris Seminar.pptx

What is DBT - The Ultimate Data Build Tool.pdf

What is DBT - The Ultimate Data Build Tool.pdf

What is DBT - The Ultimate Data Build Tool.pdf

Artificial intelligence in cctv survelliance.pptx

Artificial intelligence in cctv survelliance.pptx

Artificial intelligence in cctv survelliance.pptx

unit 4 immunoblotting technique complete.pptx

unit 4 immunoblotting technique complete.pptx

unit 4 immunoblotting technique complete.pptx

Ensuring Technical Readiness For Copilot in Microsoft 365

Ensuring Technical Readiness For Copilot in Microsoft 365

Ensuring Technical Readiness For Copilot in Microsoft 365

Moving Beyond Passwords: FIDO Paris Seminar.pdf

Moving Beyond Passwords: FIDO Paris Seminar.pdf

Moving Beyond Passwords: FIDO Paris Seminar.pdf

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024

Take control of your SAP testing with UiPath Test Suite

Take control of your SAP testing with UiPath Test Suite

Take control of your SAP testing with UiPath Test Suite

DevoxxFR 2024 Reproducible Builds with Apache Maven

DevoxxFR 2024 Reproducible Builds with Apache Maven

DevoxxFR 2024 Reproducible Builds with Apache Maven

A Journey Into the Emotions of Software Developers

A Journey Into the Emotions of Software Developers

A Journey Into the Emotions of Software Developers

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024

WordPress Websites for Engineers: Elevate Your Brand

What is Artificial Intelligence?????????

What is Artificial Intelligence?????????

What is Artificial Intelligence?????????

Time Series Foundation Models - current state and future directions

Time Series Foundation Models - current state and future directions

Time Series Foundation Models - current state and future directions

Gen AI in Business - Global Trends Report 2024.pdf

Gen AI in Business - Global Trends Report 2024.pdf

Gen AI in Business - Global Trends Report 2024.pdf

Sample pptx for embedding into website for demo

Sample pptx for embedding into website for demo

Sample pptx for embedding into website for demo

Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013

1.

2. • • • •

4. Xenotix HTTP Web Shell Proxy Web Server ATTACKER VICTIM GET http://facebook.com Serve the JavaScript File Facebook.com HTML page contents FB’s Server

5. SO.... Never Under Estimate the Power of XSS

6. ajinabrahamofficial ajinabrahamofficial ajinabraham ajinabraham ajin.abraham@owasp.org