Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSER: From XSS to RCE 3.0
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Hans-Michael Varbaek
March 28, 2019
Technology
0
170
XSSER: From XSS to RCE 3.0
OWASP Copenhagen
Hans-Michael Varbaek
March 28, 2019
Tweet
Share
More Decks by Hans-Michael Varbaek
See All by Hans-Michael Varbaek
Attack & Defense Methods
varbaek
0
44
Attack and Defense Methods for Traffic Light Systems
varbaek
0
29
So you want to be a pentester?
varbaek
2
1.5k
From XSS to RCE 2.5 - Alt33c3
varbaek
0
200
XSSing Your Way to Shell
varbaek
2
2k
Botnets of the Web – How to Hijack One
varbaek
1
240
Other Decks in Technology
See All in Technology
Kiro のクレジットを使い切る!
otanikohei2023
0
120
チームメンバー迷わないIaC設計
hayama17
5
4k
「ヒットする」+「近い」を同時にかなえるスマートサジェストの作り方.pdf
nakasho
0
140
名刺メーカーDevグループ 紹介資料
sansan33
PRO
0
1.1k
開発組織の課題解決を加速するための権限委譲 -する側、される側としての向き合い方-
daitasu
5
280
Agentic Software Modernization - Back to the Roots (Zürich Agentic Coding and Architectures, März 2026)
feststelltaste
1
200
AIエージェント・エコノミーの幕開け 〜 オープンプロトコルが変えるビジネスの未来 〜
shukob
0
110
メタデータ同期に潜んでいた問題 〜 Cache Stampede 時の Cycle Wait を⾒つけた話
lycorptech_jp
PRO
0
150
JAWS DAYS 2026 CDP道場 事前説明会 / JAWS DAYS 2026 CDP Dojo briefing document
naospon
0
200
AI時代にエンジニアはどう成長すれば良いのか?
recruitengineers
PRO
1
150
型を書かないRuby開発への挑戦
riseshia
0
190
AWS SES VDMで 将来の配信事故を防げた話
moyashi
0
120
Featured
See All Featured
Navigating Algorithm Shifts & AI Overviews - #SMXNext
aleyda
1
1.2k
How to train your dragon (web standard)
notwaldorf
97
6.5k
A Guide to Academic Writing Using Generative AI - A Workshop
ks91
PRO
0
230
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
150
Principles of Awesome APIs and How to Build Them.
keavy
128
17k
Discover your Explorer Soul
emna__ayadi
2
1.1k
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
baasie
0
470
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
370
Neural Spatial Audio Processing for Sound Field Analysis and Control
skoyamalab
0
200
What’s in a name? Adding method to the madness
productmarketing
PRO
24
4k
How to Ace a Technical Interview
jacobian
281
24k
What does AI have to do with Human Rights?
axbom
PRO
1
2k
Transcript
XSSER: From XSS to RCE 3.0 OWASP Copenhagen Chapter 28
March 2019
About me ➢ ISP Red Team – Copenhagen ➢ Presented
at Black Hat Europe, Kiwicon, Hack in the Box, etc. ➢ Full-time security consultant career began in Sydney, Australia
Shodan: port:80
How many web servers globally? ➢ 85 million approximately (Shodan
– Port:80) How many of them run PHP? ➢ 8.1 million approximately (Shodan – PHP) However..
What about virtual hosting? ➢ 1.4 billion websites ➢ 232
million unique domains ➢ 27 million websites running WordPress That’s a lot more attack surface for adversaries (Netcraft March 2019 Survey)
Classic XSS Attacks ➢ Cookie Stealing ➢ Prevented by “HttpOnly”
flag ➢ Defacements ➢ Phishing ➢ Session Hijacking (e.g. BeEF, XSSER, etc.)
None
None
None
None
XSSER
XSSER What and why? ➢ Can automate XSS attacks to
obtain RCE ➢ Meant for educational purposes ➢ Fully open source and available on GitHub
Demo
References https://github.com/Varbaek/xsser https://shodan.io https://news.netcraft.com/archives/cat egory/web-server-survey/
Questions?
SiteGround - Reliable hosting with speed, security, and support you can count on.
varbaek
otanikohei2023
hayama17
nakasho
sansan33
daitasu
feststelltaste
shukob
lycorptech_jp
naospon
recruitengineers
riseshia
moyashi
aleyda
notwaldorf
ks91
nikkihalliwell
keavy
emna__ayadi
baasie
portentint
skoyamalab
productmarketing
jacobian
axbom
