Level: Tehnical

Abstract:

Cross-Site Scripting is no longer a new or hot topic, but as new technologies are introduced rapidly, and with the expansion of cloud solutions and containerisation, classic vulnerabilities may take on new forms. Server-Side XSS is an unusual method to execute malicious payloads on the server rather than the client.

The talk includes multiple demos that walk the audience through an attack chain utilizing multiple vulnerabilities and misconfigurations to escalate privileges, and to transform a seemingly benign vulnerability into a powerful tool for cloud account takeover. In addition to explaining the issue with Server-Side XSS, its limitations and capabilities will also be discussed. Recommendations will be provided to prevent others from making the same mistakes that are already widespread.

Bio:

Balazs Bucsay is the founder & CEO of Mantra Information Security that offers a variety of consultancy services in the field of IT Security. With decades of offensive security experience he is focusing his time mainly on research in various fields including red teaming, reverse engineering, embedded devices, firmware emulation and cloud. He gave multiple talks around the globe (Singapore, London, Melbourne, Honolulu) on different advanced topics and released several tools and papers about the latest techniques. He has multiple certifications (OSCE, OSCP, OSWP) related to penetration testing, exploit writing and other low-level topics and degrees in Mathematics and Computer Science. Balazs thinks that sharing knowledge is one of the most important things, so he always shares it with his peers. Because of his passion for technology he starts the second shift right after work to do some research to find new vulnerabilities.

Posted on Monday, August 12th, 2024 at 2:20 pm in talks | rss feed for comments| Both comments and pings are currently closed.