Weaponized XSS - Moving Beyond Alert(1)

Title: Weaponized XSS - Moving Beyond Alert(1) Presenter: Ray Doyle Track: In The Weeds Time: 1100 BSides San Antonio 2020 July 11th, San Antonio, Texas Abstract: Alert(1): it's everyone's favorite cross-site scripting (XSS) payload, but that doesn't mean you have to stop there. In this talk, we will explore the variety of exploits we can weaponize after we've gotten that alert box to pop. From session hijacking to crypto mining, there are a multitude of ways to exploit your victim with this decades-old class of vulnerability. It's sometimes hard to get buy-in to correct XSS vulnerabilities because an alert box isn't a compelling risk - this talk shows how to weaponize flaws once they're found. For offensive security pros, you will walk away with a few new tricks to add to your engagements. People on the defensive side will learn signatures to detect and alert on. And for everyone else, come find out why XSS always finds its way to the top of web vulnerability top 10 lists. Speaker Bio: The man, the myth, the legend; Ray Doyle, OSCE, OSCP, GXPN, aka @doylersec is an avid pentester and security enthusiast. He now works as a Senior Staff Adversarial Engineer at Avalara, and has been there for over six months now. You can also visit his blog at https://www.doyler.net, where he has been posting for over four years now! When he's not hacking for work he's, well, hacking for fun as well...Ray has attended various security conferences for the past few years now, and has even spoken at CarolinaCon, BSides Manchester, BrrCon, BSides Denver, and BSides Raleigh/RDU. He has competed in numerous hacking competitions and CTFs over the years, most recently with Team Eversec, and managed to place 1st in the DerbyCon 9 CTF, 1st in the DEF CON 24 SOHOpelessly Broken CTF (winning a DEF CON 'black badge'), and 1st in the DEF CON 25 Wireless CTF (helping to win another black badge). Other than security, you can always hit him up in City of Heroes (@doyler) or a Super Smash Brothers Melee money match.