Cross Site Scripting is most generally known as a website or browser vulnerability (see “Hacking Google ChromeOS”). But with today’s dynamic desktop environment, it’s not uncommon for desktop application to contain a mishmosh of technologies. Since user friendly interfaces are very important (we have degrees in UI development!), HTML & JavaScript is being utilized as a medium to deliver the function. Fortunately for attackers, this also opens up the same web vulnerabilities that a browser allows. Using popular IM clients (and an operating system!) as examples, we’ll go over how an attacker can own you, desktop and mobile, using an everyday web vulnerability, Cross Site Scripting. Topics include discovering XSS vulnerabilities in applications, writing the exploits, and post exploitation (what can we do??)