FSec2016 – Miroslav Stampar: Non-Esoteric XSS Tips & Tricks
iSpeech
Cross-Site Scripting (XSS) is (still) one of the most prevalent security vulnerabilities typicially found in web applications. Altough often trivialized, it is used in sofisticated "below-the-radar" attacks against criticial users (e.g. administrators). Well prepared spear-phishing emails containing the related exploit will bring down the biggest targets down to knees with a single click (e.g. ubuntuforums.org, apache.org, etc.). While searching for the vulnerability, the ultimate goal of the penetration tester is to "pop" the dialog box containing the custom message (e.g. XSS), thus proving that the arbitrary Javascript code can be executed in the context of the vulnerable web application. In this talk wide variety of cases will be presented together with non-esoteric ways of exploitation based on real-life experience gathered by popping the dialogs around.
video, sharing, camera phone, video phone, free, upload
2017-01-06 21:12:54
source
Gloss