2025-12-06 –, Track 2
Tired of Googling persistent XSS and being swamped with Stored XSS write-ups? Lets take a dive into what persistent XSS really means and how modern browsers try to prevent us from achieving it.
Modern web applications have outpaced traditional Cross-Site Scripting (XSS) techniques like stored XSS and iFrame traps, which falter against page navigation, X-Frame-Options headers, Content Security Policy, and EDR/AV detection. This talk explores why true persistent XSS is a complex challenge and introduces [REDACTED], a new open-source framework built to address these modern barriers.
We dive into the persistence problem, examining why simple framing no longer suffices in today’s browsers. Legacy tools like BeEF, while pioneering, rely on methods less effective against current browser standards and APIs. [REDACTED] builds on BeEF’s persistence foundation but takes a focus on making XSS a reliable vulnerability to exploit on red team engagements no matter the context, it integrates modern technologies, such as advanced DOM manipulation and lightweight payloads, to ensure stability and bypass defenses. [REDACTED] also introduces unique attacks, like live remote view, for real-time monitoring of infected web applications.
This session analyses legacy tool limitations and showcases [REDACTED]’s Command-and-Control functionality for red/purple team engagements. A live demo on a simulated banking app will highlight [REDACTED]’s innovative features, including its remote-view capability, and demonstrate its real-world impact. Attendees will understand why persistence remains a tough problem, how [REDACTED] redefines XSS exploitation, and why older approaches fall short, gaining a modern mental model for advanced attacks. Join us to rethink XSS and build on the legacy of tools like BeEF.
Introduction
The talk opens with an overview of the speaker’s cybersecurity background and experience, setting the stage for the discussion. It explains the motivation behind addressing the gap in achieving true persistent XSS and hints at the release of a new tool.
XSS Recap
This section briefly covers XSS types, including stored, reflected, and DOM-based, and discusses the impact of traditional XSS payloads, such as credential theft and session hijacking. Real-world case studies illustrate XSS’s destructive potential, but makes sure to highlight the difficulties that exist when attempting to practically exploit the vulnerability, while common remediation techniques and their limitations are reviewed.
Modern Persistence: Snake Oil?
Here, persistence is defined in a web application context as survival, not just storage. The talk explores why navigation poses the final barrier to true persistence and addresses misconceptions about persistent XSS, highlighting challenges in modern browser environments, like the modern adoption of single page applications and how that poses a challenge for persistence.
The Logic Behind Persistent XSS
This section delves into the core truths of XSS, emphasizing the level of control over a user’s browser and the implications of DOM manipulation for advanced attacks. It posits that XSS provides a foundation for persistence if navigation challenges are overcome. It will also lead into how we could potentially utilise the core truths discussed to achieve true persistence.
Have We Been Gaslit?
The discussion focuses on existing persistence methods, including stored XSS, iFrame traps, and BeEF’s browser-in-the-middle attack. It highlights their limitations in modern browsers, such as X-Frame-Options, CSP, and EDR detection, and notes specific drawbacks of BeEF’s approach in today’s web environment and its practicality when used during red/purple team engagements.
Modernization (Without the AI Slob)
This part outlines goals for modernizing tools like BeEF to ensure practical use. It addresses challenges posed by EDR and AV detection and discusses design principles for red/purple team engagements, focusing on stealth, stability, and impact.
BRAT (Browser Remote Access Tool)
The talk introduces BRAT’s architecture, explaining how it differs from BeEF through modern APIs and advanced DOM manipulation for persistence. It covers features like live remote view, permissions abuse, reconnaissance, and a novel technique that would allow an XSS payload to persist even AFTER re-opening your browser, along with practical use cases for red/purple team scenarios. The section emphasizes BRAT’s role in re-igniting the pursuit of true persistence and preventing such attacks.
BRAT Demo
The talk concludes with a live demonstration using a simulated banking application, showcasing BRAT’s inner workings, including real-time monitoring, JavaScript injection, and HTML retrieval, to highlight its practical impact and functionality in a controlled environment. The demo also serves to showcase a new novel technique that can be used to poison a browsers local cache to embed persistence even after a victim re-opens their browser.
Conclusion
The talk will wrap up by talking a bit about the key take aways listed below:
- Grasp XSS’s potential on modern web applications for high-impact attacks like data theft and lateral attacks.
- True persistence requires you to defeat a boss - The audience will gain insight into what it really means to achieve true persistence in modern web environments.
- Learn how BRAT uses modern APIs and DOM manipulation, advancing beyond BeEF’s legacy methods.
- Explore BRAT’s live remote view for real-time monitoring of infected web apps.
- Gain a mental model for obscured persistence challenges and BRAT deployment insights.
And then end of by relaying how the community can get involved in the development of the tool.
My name is Ethan Havinga, after finishing my education I was lucky enough to join an internship at MWR CyberSec where I now work fulltime as a Cybersecurity Consultant with a focus in the web application security space. In my spare time I enjoy a bit of light reading and video games, and I have a passion for diving head first into technical rabbit holes.