Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSER: From XSS to RCE 3.0
Search
Hans-Michael Varbaek
March 28, 2019
Technology
180
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
XSSER: From XSS to RCE 3.0
OWASP Copenhagen
Hans-Michael Varbaek
March 28, 2019
More Decks by Hans-Michael Varbaek
See All by Hans-Michael Varbaek
Attack & Defense Methods
varbaek
0
52
Attack and Defense Methods for Traffic Light Systems
varbaek
0
34
So you want to be a pentester?
varbaek
2
1.5k
From XSS to RCE 2.5 - Alt33c3
varbaek
0
200
XSSing Your Way to Shell
varbaek
2
2.1k
Botnets of the Web – How to Hijack One
varbaek
1
250
Other Decks in Technology
See All in Technology
組織における AI-DLC 実践
askul
0
180
AIをフル活用してオンコール機能のプロトタイプを2日で作った話 / Building an AI-Powered On-Call Prototype in Just Two Days
nari_ex
0
150
40代で“やっとエンジニアになれた”――閉じた学びを開き、空の青さを知る / 20260628 Naoki Takahashi
shift_evolve
PRO
4
1.3k
Comment regagner la souveraineté de vos données tout en étant payé grâce à Nostr !
rlifchitz
0
230
データレイクの「見えない問題」を可視化する
sansantech
PRO
1
240
背中から、背中へ /paying forward to community
naitosatoshi
0
160
「ビジネスがわかるエンジニア」とは何か?
ryooob
0
410
【FinOps】データドリブンな意思決定を目指して
z63d
2
500
技術・能力を向上する原理原則 #きのこセッションa #きのこ2026
bash0c7
0
180
NDIAS CTF 2026 問題解説会資料
bata_24
0
120
スタートアップにおけるアジャイルの実践について #shibuyagile
murabayashi
1
180
5分でわかる Amazon Connect_20260608
hwangbyeonghun
0
140
Featured
See All Featured
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
210
My Coaching Mixtape
mlcsv
0
160
New Earth Scene 8
popppiees
3
2.4k
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
greggifford
PRO
0
200
Claude Code のすすめ
schroneko
67
230k
Product Roadmaps are Hard
iamctodd
PRO
55
12k
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
minecr
1
300
Darren the Foodie - Storyboard
khoart
PRO
3
3.4k
Principles of Awesome APIs and How to Build Them.
keavy
128
18k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
28
3.5k
Prompt Engineering for Job Search
mfonobong
0
350
Navigating the moral maze — ethical principles for Al-driven product design
skipperchong
2
400
Transcript
XSSER: From XSS to RCE 3.0 OWASP Copenhagen Chapter 28
March 2019
About me ➢ ISP Red Team – Copenhagen ➢ Presented
at Black Hat Europe, Kiwicon, Hack in the Box, etc. ➢ Full-time security consultant career began in Sydney, Australia
Shodan: port:80
How many web servers globally? ➢ 85 million approximately (Shodan
– Port:80) How many of them run PHP? ➢ 8.1 million approximately (Shodan – PHP) However..
What about virtual hosting? ➢ 1.4 billion websites ➢ 232
million unique domains ➢ 27 million websites running WordPress That’s a lot more attack surface for adversaries (Netcraft March 2019 Survey)
Classic XSS Attacks ➢ Cookie Stealing ➢ Prevented by “HttpOnly”
flag ➢ Defacements ➢ Phishing ➢ Session Hijacking (e.g. BeEF, XSSER, etc.)
None
None
None
None
XSSER
XSSER What and why? ➢ Can automate XSS attacks to
obtain RCE ➢ Meant for educational purposes ➢ Fully open source and available on GitHub
Demo
References https://github.com/Varbaek/xsser https://shodan.io https://news.netcraft.com/archives/cat egory/web-server-survey/
Questions?