Cross Site Scripting is most generally known as a website or browser vulnerability (see “Hacking Google ChromeOS”). But with today’s dynamic desktop environment, it’s not uncommon for desktop application to contain a mishmosh of technologies. Since user friendly interfaces are very important (we have degrees in UI development!), HTML & JavaScript is being utilized as a medium to deliver the function. Fortunately for attackers, this also opens up the same web vulnerabilities that a browser allows. Using popular IM clients (and an operating system!) as examples, we’ll go over how an attacker can own you, desktop and mobile, using an everyday web vulnerability, Cross Site Scripting. Topics include discovering XSS vulnerabilities in applications, writing the exploits, and post exploitation (what can we do??)
Kos is a (red) team player. He enjoys pwning, winning, and figuring out new ways to pwn and win. He plays a bad guy in the Western Regional Collegiate Cyber Defense Competition (and sometimes in real life.) He has some CTF development experience with the US Cyber Challenge “Cyber Camps”, where he and a team developped a small little CTF for the campers to compete in. Kos has also spoken at other conventions, including Toorcon Seattle, BlackHat USA, DefCon & BSidesLV. Kos has tiger’s blood, and lives in the danger zone. Kos is a (red) team player. He enjoys pwning, winning, and figuring out new ways to pwn and win. He plays a bad guy in the Western Regional Collegiate Cyber Defense Competition (and sometimes in real life.) He has some CTF development experience with the US Cyber Challenge “Cyber Camps”, where he and a team developped a small little CTF for the campers to compete in. Kos has also spoken at other conventions, including Toorcon Seattle, BlackHat USA, DefCon & BSidesLV. Kos has tiger’s blood, and lives in the danger zone. (Mostly factually correct.)