XSSer – From XSS to RCE
Cross-site scripting (XSS) is a type of computer security vulnerability that is normally present in web applications. XSS allows attackers to implement client scripts on web pages viewed by other users. Vulnerability XSS can be used by attackers to bypass the access control means, usually of the same origin. Vulnerabilities associated with cross-site scripting can range from minor troubles to significant security risk, depending on the importance of data processed by the affected site, and the nature of any mitigation of security implemented by the site owner. The ability to run arbitrary code execution from one machine to another (especially through a global network such as the Internet) is often called the execution of remote code.
This example demonstrates how an attacker can use XSS to execute arbitrary code on a web server when the administrator starts unintentionally Hid XSS payload. Custom tools and payload built into the Metasploit Meterpreter in highly automated approach will be demonstrated in real time, including that of operational scenarios and interesting data that can be obtained from the compromised application. This version includes a different notification and new vectors of attack!
Requirements
- Python (2.7.*, version 2.7.11 was used for development and demo)
- Gnome
- Bash
- Msfconsole (accessible via environment variables)
- Netcat (nc)
- cURL (curl) [NEW]
- PyGame (apt-get install python-pygame) [NEW]
Installation
