XSSing Your Way to Shell
82
Sense of Security Pty Ltd Sydney Level 8, 66 King St Sydney NSW 2000 Australia Melbourne Level 10, 401 Docklands Dr Melbourne VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 [email protected] www.senseofsecurity.com.au ABN: 14 098 237 908
-
Upload
hans-michael-varbaek -
Category
Education
-
view
433 -
download
1
description
NOTE: Download the PDF for high-resolution text. (It appears that SlideShare does not handle custom fonts very well.) Alternative Med-Res Source: https://speakerdeck.com/varbaek/xssing-your-way-to-shell Cross-Site Scripting isn’t new, but there is generally a large belief among vendors, corporations and even some hackers that XSS can only be used to conduct client-side attacks such as session hijacking and similar attacks, or with tools such as BeEF. This talk dives into finding a 0day in a web application, creating a basic payload, and then; the development of an idea, that becomes an asynchronous JavaScript payload able to use any administrative feature enabling the attacker to execute arbitrary code on the server. During the talk, custom-built JavaScript payloads enabling arbitrary code execution will be demonstrated. Location: Thursday 29th May 2014 - 12:15 @ Beurs van Berlage - Amsterdam - Netherlands. Bio: Hans-Michael Varbaek is a Security Consultant at Sense of Security and is an active part of the penetration testing team. He is an IT security specialist, independent researcher, and penetration tester. Hans has periodically been invited to help out community driven projects such as The Exploit Database (which he participated actively in by e.g. managing their forums and writing blog entries about web application security). Hans has presented about advanced attack methods (e.g. chained exploits) and secure web application development for numerous clients as well. Along with an IT-Administrator degree, Hans is an Offensive Security Certified Expert (OSCE) and GIAC Penetration Tester (GPEN). Toolkit: https://github.com/Varbaek/xss-shell-payloads YouTube: https://www.youtube.com/playlist?list=PLIjb28IYMQgoZaHaHUYCc8VsFETfHl4i3 Vimeo: https://vimeo.com/varbaek/videos
Transcript of XSSing Your Way to Shell
Sense of Security Pty Ltd Sydney Level 8, 66 King St Sydney NSW 2000 Australia
Melbourne Level 10, 401 Docklands Dr Melbourne VIC 3008 Australia
T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455
[email protected] www.senseofsecurity.com.au ABN: 14 098 237 908
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
