Let’s run our example on a WordPress server. Here I’ll use my favorite InfoSec Fashionistas demo site.
We’ve copied our installer bash script onto the application server and will run it in the WordPress directories.
If we open our web console and browse the application, we’ll see that we get one alert pop up, but we’ll often notice multiple console print statements indicating that additional files executed our payload code.
While not an elegant solution, this approach would maximize the amount of time your Shadow Workers “XSS Payload” was running, while also minimizing the effort for deployment. Before using this technique, ensure you have a plan for cleaning up your artifacts upon completion of your engagement.