BSides Roanoke

Date: October 02, 2021

Senior Security Consultant Drew Kirkpatrick will be speaking at BSides Roanoke at 1 p.m. EST on Saturday, October 2, 2021.

Popping Shells Instead of Alert Boxes: Weaponizing XSS for Fun and Profit
(45min)

Cross-Site Scripting (XSS) vulnerabilities are a longstanding issue that allows malicious actors to inject JavaScript into a web application. Penetration testers typically use a simple JavaScript alert box to illustrate successful JavaScript execution to clients.

But what would attackers actually do with these vulnerabilities? And how can penetration testers and red teamers develop XSS payloads to use these vulnerabilities as a stepping stone to system access?

In this talk, we’ll iterate on XSS payloads against a WordPress server performing increasingly complicated attacks until finally we’ll pop a shell on the server.

BSides Roanoke