Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSS Lightning talk

Johnny Vestergaard
March 06, 2012
Technology
1
53

XSS Lightning talk

Held at Open Space Århus March 2012

Johnny Vestergaard

March 06, 2012
Tweet

More Decks by Johnny Vestergaard

See All by Johnny Vestergaard
Introduction to deception technology
johnnykv
0
110
Use of operational deceptions to divert cyber attacks
johnnykv
1
110
Honeypot Workshop
johnnykv
1
120
Deception, Honeypots and Honeyclients
johnnykv
0
56
Hacking Demystified
johnnykv
1
65
Basic exploitation of TCP/IP
johnnykv
0
140
Sans Christmas Hacking Challenge 2011
johnnykv
0
88
Hacking Demystified
johnnykv
0
90

Other Decks in Technology

See All in Technology
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
1
110
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
520
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.1k
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
TypeScript、上達の瞬間
sadnessojisan
46
13k
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
2
520
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
390
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
110
いざ、BSC討伐の旅
nikinusu
2
780
OTelCol_TailSampling_and_SpanMetrics
gumamon
1
180

Featured

See All Featured
Scaling GitHub
holman
458
140k
Rails Girls Zürich Keynote
gr2m
94
13k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Side Projects
sachag
452
42k
Done Done
chrislema
181
16k
Six Lessons from altMBA
skipperchong
27
3.5k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Become a Pro
speakerdeck
PRO
25
5k
Building a Scalable Design System with Sketch
lauravandoore
459
33k

Transcript

  1. Introduction to Cross Site Scripting Johnny Vestergaard <[email protected]> http://dk.linkedin.com/in/johnnykv Lightning

    talk held at OSAA March 2012

  2. XSS - Cross Site Scripting Worst name ever?? • Think

    of it as "JavaScript Injection". ◦ (and ignore the haters) • Injection of malicious JavaScript on a site with the intend of client side execution. • Three types: Reflected, Persistent and DOM based. • We will focus on Persistent XSS tonight.

  3. Safe website

  4. Vulnerable website

  5. Hey - it's just client side!

  6. Having a client side party • Possibilities ◦ Host scanning

    of client-side LAN ◦ Session takeover (cookie stealing) ◦ Eavesdropping ▪ Keylogging ▪ Events ◦ Complete control of the page • Limitations ◦ Confined to the browser

  7. Demo •Keylogger using metasploit •Cookie stealer with python backend

  8. Demo #1 - Keylogger with metasploit

  9. Demo #2 - The Cookie Monster https://gist.github.com/1968842

  10. Do it yourself Whitehat style • Backtrack 5 ◦ http://www.backtrack-linux.org/

    • OWASP Broken Web Applications Project ◦ VMware image with broken web apps ◦ http://bit.ly/yNsF9K • Cookie Monster ◦ http://gist.github.com/1968842 • Slides ◦ http://www.slideshare.net/JohnnyKV/