WWHF @ Mile High 2025

Tired of taking screenshots of alert boxes? Join me for a working session to discuss how to use JavaScript and DOM manipulation to craft a believable XSS phishing payload resulting in code execution in a target domain. This session was inspired while working on a web application pentest with some colleagues. They asked me to generate an XSS payload to help demonstrate impact within existing CSP restrictions. Today, I am hosting a learning session to show an approach for turning a reflected XSS bug from alert(1) to P1. This includes a live demo / working session to turn a target domain into a phishing page (and maybe some cat pics) and a discussion about how to turn that into a shell. Attendees are encouraged to follow along in their browsers. Following this session, you will emerge with additional knowledge of (1) manipulating the browser's DOM with JS, (2) CSP Limitations (and bypasses), and (3) a methodology for how to turn XSS into a phishing payload from scratch.