PWNING WITH XSS : FROM ALERT() TO REVERSE SHELL

@ajinabraham

DEFCON DCG BANGALORE

#ME• INFO SEC ENTHUSIAST

• OWASP XENOTIX XSS EXPLOIT FRAMEWORK

• FREE AND OPEN INFO SEC EDUCATION SUPPORTER (KERALA CYBER FORCE)

• RUNS A DEFCON CHAPTER DEFCON KERALA

OWASP XENOTIX XSS EXPLOIT FRAMEWORK

SCANNING MODULE

INFO GATHERING MODULE

EXPLOITATION MODULE

START

Xenotix HTTP Web Shell

Proxy

Web Server

ATTACKER

VICTIM

GET http://facebook.com

Serve the JavaScript

File

Send Request to Web Server

Send Request to

Bro

wser

HTML Resp

onse to

Server

HTML Response to ServerFacebook.com HTML page contents

FB’s Server

GET http://facebook.com

Response from FB’s Server

SO....Never Under Estimate

the Power of XSS

THANK YOU

ajinabrahamofficial

ajinabrahamofficial

ajinabraham

ajinabraham

ajin.abraham@owasp.org