Big Bugs | Episode 5: Big XSS–Not an Oxymoron

Over the past 10+ years, Cross-Site Scripting has made its way into just about every ‘top-ten vulnerability’ list and has consistently starred in headlines and POCs. XSS vulnerabilities are also commonly submitted through bug bounty programs, and many write them off as ‘low hanging fruit.’ We’re here to tell you that not all XSS are created equal.

This episode of Big Bugs examines the reason we’re experiencing XSS-Fatigue, some examples of high impact XSS bugs found in the wild, and resources for defenders and offenders.

Resources Mentioned in this Episode:

• Browser Exploitation Framework A.K.A. BeEF
• Bugcrowd VRT
• Bug Hunter’s Methodology Slideshow – Given originally at DEFCON 23
  • XSS Polyglots (Slides 25 – 33)
    • Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet)
    • Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)
    • Multi-context polyglot payload  (Mathias Karlsson)
    • http://polyglot.innerht.ml/
• Unleashing an Ultimate XSS Polyglot – Hack Vault
• Fuzzing Payloads with SecLists, compiled by myself and Daniel Meissler
• Sleepy puppy – helps identify Blind XSS

Other Useful Resources:

• https://www.bishopfox.com/blog/2015/08/coldfusion-bomb-a-chain-reaction-from-xss-to-rce/
• http://maustin.net/hipchat_rce/
• https://oreoshake.github.io/xss/rce/bugbounty/2015/09/08/xss-to-rce.html
• http://brutelogic.com.br/blog/cheat-sheet/

Have questions for me? Continue the discussion on our forum and subscribe below to get monthly episodes of this podcast. You can also subscribe to the Bugcrowd podcast RSS feed and find us on iTunes.