Popping Shells Instead of Alert Boxes: Weaponizing XSS for Fun and Profit

Date: December 18, 2019

This webinar was recorded on Wednesday, December 18, 2019.

XSS? What’s the big deal?

Cross-Site Scripting (XSS) vulnerabilities are a longstanding issue that allow malicious actors to inject JavaScript into a web application. Penetration testers typically use a simple JavaScript alert box to illustrate successful JavaScript execution to clients.

But what would attackers actually do with these vulnerabilities? And how can penetration testers and red teamers develop XSS payloads to use these vulnerabilities as a stepping stone to system access?

Beyond the alert popup:

In this webinar, we will walk through the development of XSS payloads against a WordPress administrator and test that payload against a live WordPress server. Our payload will use the administrator’s session to attack the WordPress server itself. We will iterate on our payload live in a text editor, adding more and more features, ultimately ending with an XSS payload that pops a meterpreter shell.

What you’ll learn:

You will learn how to weaponize XSS payloads and in the process, experience typical coding errors while we develop the payload during the demonstration. Techniques for comparing requests in Burp Suite will allow you to debug these issues and correct the payload. Learning these techniques will allow you to both attack WordPress and develop your own weaponized XSS attacks against applications in your own engagements.

Still crazy after all these years:

Finally, you will see firsthand that XSS vulnerabilities can still be high-severity flaws when you go beyond the popup.