SlideShare una empresa de Scribd logo

XSS Shell by Vandan Joshi

ClubHack
ClubHack

This document discusses cross-site scripting (XSS) and introduces XSSShell, a tool that uses XSS vulnerabilities to execute commands on a victim's browser. It begins with an introduction to XSS and its risks, then outlines XSS types and demonstrates XSSShell by exploiting vulnerabilities in a demo application. The document aims to show how XSSShell works by establishing a server and injecting client-side JavaScript to create an administrative interface that can control infected browsers.

1 de 11
Descargar para leer sin conexión
XSSshell Vandan Joshi
Introduction • Consultant – Information Security SecurEyes Techno Services Ltd • MBA in Networks and IT Infrastructure • Learner
AGENDA • Introduction • XSS Types • XSSShell • Demo
Cross Site Scripting  Included in OWASP top 10 – 2010 Available at owasp.org
• Very easy to exploit • Widespread • Javascript Exploit • Vulnerable to any platform • Target – Users’ web browser • Considered as a script injection attack • Malicious scripts run onto the other browsers
Cross Site Scripting • Introduction • Impacts • Remediation that don’t work
Cross Site Scripting Demo • Reflective XSS • Stored XSS
• Demo by Hackersbank vulnerable application
XSS Shell • XSS Shell Server • The client Side Javascript • XSSShell’s Administrative interface
• XSSShell Demo by BeeF and Hackers Bank Application

Recomendados

웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격선협 이
 
Sencha Tech Session
Sencha Tech SessionSencha Tech Session
Sencha Tech SessionUmar Ali
 
Extreme Web Exploitation
Extreme Web ExploitationExtreme Web Exploitation
Extreme Web ExploitationViral Parmar
 
BSides Rochester 2018: Anthony DiDonato: Virtualization Based Security
BSides Rochester 2018: Anthony DiDonato: Virtualization Based SecurityBSides Rochester 2018: Anthony DiDonato: Virtualization Based Security
BSides Rochester 2018: Anthony DiDonato: Virtualization Based SecurityJosephTesta9
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 
[Mas 500] Web Basics
[Mas 500] Web Basics[Mas 500] Web Basics
[Mas 500] Web Basicsrahulbot
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber InsuranceClubHack
 

Recomendados

웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격웹 개발을 위해 꼭 알아야하는 보안 공격
웹 개발을 위해 꼭 알아야하는 보안 공격선협 이
 
Sencha Tech Session
Sencha Tech SessionSencha Tech Session
Sencha Tech SessionUmar Ali
 
Extreme Web Exploitation
Extreme Web ExploitationExtreme Web Exploitation
Extreme Web ExploitationViral Parmar
 
BSides Rochester 2018: Anthony DiDonato: Virtualization Based Security
BSides Rochester 2018: Anthony DiDonato: Virtualization Based SecurityBSides Rochester 2018: Anthony DiDonato: Virtualization Based Security
BSides Rochester 2018: Anthony DiDonato: Virtualization Based SecurityJosephTesta9
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 
[Mas 500] Web Basics
[Mas 500] Web Basics[Mas 500] Web Basics
[Mas 500] Web Basicsrahulbot
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber InsuranceClubHack
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Lara Technology
Lara TechnologyLara Technology
Lara Technologylaratechnologies
 
Introduction of java technology
Introduction of java technologyIntroduction of java technology
Introduction of java technologytechnologieslara
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpStephen Donner
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
Java
JavaJava
Javalaratechnologies
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defensePrakashchand Suthar
 
Lara technologies
Lara technologiesLara technologies
Lara technologiestechnologieslara
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan
 
Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Dan BerghJohnsson
 
Xss attack
Xss attackXss attack
Xss attackAmbuj Kumar
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and virusesUltraUploader
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita Ionel
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
Node.js In The Enterprise - A Primer
Node.js In The Enterprise - A PrimerNode.js In The Enterprise - A Primer
Node.js In The Enterprise - A PrimerNaveen S.R
 
a
aa
aSandeep Kumar
 
Microservice Pattern Launguage
Microservice Pattern LaunguageMicroservice Pattern Launguage
Microservice Pattern LaunguageInho Kang
 
Top 10 frameworks of node js
Top 10 frameworks of node jsTop 10 frameworks of node js
Top 10 frameworks of node jsHabilelabs
 
India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014ClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreClubHack
 

Más contenido relacionado

Similar a XSS Shell by Vandan Joshi

The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Introduction of java technology
Introduction of java technologyIntroduction of java technology
Introduction of java technologytechnologieslara
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpStephen Donner
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan
 
Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Dan BerghJohnsson
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and virusesUltraUploader
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita Ionel
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
Node.js In The Enterprise - A Primer
Node.js In The Enterprise - A PrimerNode.js In The Enterprise - A Primer
Node.js In The Enterprise - A PrimerNaveen S.R
 
Microservice Pattern Launguage
Microservice Pattern LaunguageMicroservice Pattern Launguage
Microservice Pattern LaunguageInho Kang
 
Top 10 frameworks of node js
Top 10 frameworks of node jsTop 10 frameworks of node js
Top 10 frameworks of node jsHabilelabs
 

Similar a XSS Shell by Vandan Joshi (20)

Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Lara Technology
Lara TechnologyLara Technology
Lara Technology
 
Introduction of java technology
Introduction of java technologyIntroduction of java technology
Introduction of java technology
 
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to HelpTowards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
Towards a More Secure, Reliable, and Performant Web: Tools / Approaches to Help
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
 
Java
JavaJava
Java
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
 
Lara technologies
Lara technologiesLara technologies
Lara technologies
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
 
Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014Domain Driven Security at Internetdagarna-2014
Domain Driven Security at Internetdagarna-2014
 
Xss attack
Xss attackXss attack
Xss attack
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tour
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
Node.js In The Enterprise - A Primer
Node.js In The Enterprise - A PrimerNode.js In The Enterprise - A Primer
Node.js In The Enterprise - A Primer
 
a
aa
a
 
Microservice Pattern Launguage
Microservice Pattern LaunguageMicroservice Pattern Launguage
Microservice Pattern Launguage
 
Top 10 frameworks of node js
Top 10 frameworks of node jsTop 10 frameworks of node js
Top 10 frameworks of node js
 

Más de ClubHack

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014ClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreClubHack
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatClubHack
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...ClubHack
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012ClubHack
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack
 
One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)ClubHack
 
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)ClubHack
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 

Más de ClubHack (20)

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threat
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
 
One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)
 
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 

XSS Shell by Vandan Joshi