Weaponising XSS for Red Teams

Too often, cross-site scripting (XSS) vulnerabilities don’t get the attention they deserve. In many pentest reports, a tester will simply showcase them as a harmless alert(document.domain) proof-of-concept and move on. This downplays the real-world impact of this vulnerability and leaves their full offensive potential largely ignored, especially for red teams aiming to breach hardened external perimeters.

In this talk, we’ll go beyond the browser pop-up to demonstrate a novel application of XSS in modern offensive operations. We’ll break down how a simple frontend bug can become a launching point for advanced phishing campaigns, allowing an adversary to harvest user credentials and gain access to MFA-protected user sessions. You’ll see practical scenarios and demos that highlight just how deadly XSS can be when it’s weaponised with purpose.

To put these techniques in the hands of the community, we’ll also be releasing an open-source tool named Shadow Browser that was designed to supercharge red team phishing ops. It is similar to the popular Evilginx, but very different in practice. If you’re ready to move past the theoretical XSS pop-up alerts and start exploiting its full power, this talk will take you from alert() to a full-fledged Red Team phishing campaign.