XSSER: From XSS to RCE 3.0

Hans-Michael Varbaek

March 28, 2019

170

XSSER: From XSS to RCE 3.0

OWASP Copenhagen

Hans-Michael Varbaek

March 28, 2019

Tweet

More Decks by Hans-Michael Varbaek

See All by Hans-Michael Varbaek

Attack & Defense Methods

0

44

Attack and Defense Methods for Traffic Light Systems

0

29

So you want to be a pentester?

2

1.5k

From XSS to RCE 2.5 - Alt33c3

0

200

XSSing Your Way to Shell

2

2k

Botnets of the Web – How to Hijack One

1

240

Other Decks in Technology

See All in Technology

20260204_Midosuji_Tech

1

160

ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup

0

480

10Xにおける品質保証活動の全体像と改善 #no_more_wait_for_test

PRO

2

330

データの整合性を保ちたいだけなんだ

8

3.2k

マーケットプレイス版Oracle WebCenter Content For OCI

oracle4engineer

PRO

5

1.6k

1,000 にも届く AWS Organizations 組織のポリシー運用をちゃんとしたい、という話

0

150

プロポーザルに込める段取り八分

1

630

SREのプラクティスを用いた3領域同時マネジメントへの挑戦〜SRE・情シス・セキュリティを統合したチーム運営術〜

coconala_engineer

2

770

顧客の言葉を、そのまま信じない勇気

1

360

usermode linux without MMU - fosdem2026 kernel devroom

0

240

コミュニティが変えるキャリアの地平線：コロナ禍新卒入社のエンジニアがAWSコミュニティで見つけた成長の羅針盤

0

130

Why Organizations Fail: ノーベル経済学賞「国家はなぜ衰退するのか」から考えるアジャイル組織論

PRO

1

180

Featured

See All Featured

Unlocking the hidden potential of vector embeddings in international SEO

0

170

It's Worth the Effort

188

29k

DevOps and Value Stream Thinking: Enabling flow, efficiency and business value

1

110

What does AI have to do with Human Rights?

PRO

0

2k

From π to Pie charts

0

130

Discover your Explorer Soul

2

1.1k

Optimizing for Happiness

379

71k

Building Adaptive Systems

44

2.9k

How to make the Groovebox

2

1.9k

The innovator’s Mindset -  Leading Through an Era of Exponential Change - McGill University 2025

PRO

1

94

AI in Enterprises - Java and Open Source to the Rescue

0

1.1k

Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs

PRO

0

65

Transcript

XSSER: From XSS to RCE 3.0 OWASP Copenhagen Chapter 28
March 2019
About me ➢ ISP Red Team – Copenhagen ➢ Presented
at Black Hat Europe, Kiwicon, Hack in the Box, etc. ➢ Full-time security consultant career began in Sydney, Australia
Shodan: port:80
How many web servers globally? ➢ 85 million approximately (Shodan
– Port:80) How many of them run PHP? ➢ 8.1 million approximately (Shodan – PHP) However..
What about virtual hosting? ➢ 1.4 billion websites ➢ 232
million unique domains ➢ 27 million websites running WordPress That’s a lot more attack surface for adversaries (Netcraft March 2019 Survey)
Classic XSS Attacks ➢ Cookie Stealing ➢ Prevented by “HttpOnly”
flag ➢ Defacements ➢ Phishing ➢ Session Hijacking (e.g. BeEF, XSSER, etc.)
None
None
None
None
XSSER
XSSER What and why? ➢ Can automate XSS attacks to
obtain RCE ➢ Meant for educational purposes ➢ Fully open source and available on GitHub
Demo
References https://github.com/Varbaek/xsser https://shodan.io https://news.netcraft.com/archives/cat egory/web-server-survey/
Questions?