Why Hackers Keep Winning

Traditionally browsers have been used to browse the internet, with the advent of HTML5 technologies they can be abused to browse and exploit internal network resources. HTML5 features, Easy to detect but seemingly overlooked: Service Workers, ORTC, WebUSB, WebBluetooth, and WebRTC have opened up a new game not many are talking about. Single-shot web server RCE exploits are on the rise, given that a majority of organizations dont keep up with patching internally its possible to fire n-days through web sockets and gain code execution. Simply from a user viewing a web page in a modern browser. Further improvements allow us to fingerprint vulnerable services and specifically target internal hosts and applications. Think XSS is a minor vulnerability? Lets start popping calc instead of alert(1). Ryan Preston (Security Assessments Team Lead at Depth Security) awsm is the Security Assessments Team Lead at Depth Security. It's rumored that he was raised by monks at a hidden temple known as the House of Zero. He has an alert(love/hate) relationship with XSS. awsm spends his time doing awsm things. Breaking websites, Riding motorcycles, capturing flags, jumping out of planes, dropping in to 3 feet of powder in Colorado, its all in an awsm days work. Started on backtrack, OSCP'd with the first edition of Kali, now spending time impersonating Domain Administrators. @awsmhacks.