Loading Events

« All Events

  • This event has passed.
Event Series Event Series: Conference

JS-Tap: Weaponizing JavaScript for Red Teams – Drew Kirkpatrick

October 19, 2023 @ 3:00 pm 3:50 pm MDT

How do you use malicious JavaScript to attack an application you know nothing about?

Application pen testers often create custom weaponized JavaScript payloads to demonstrate potential impact to clients. Documents are stolen, privileges escalated, or account transfers initiated, depending on what the “crown jewels” are for that client.

Payload development for pen testers is simplified by authenticated access that is typical during application assessments. Pen testers already know what sequence of requests and responses are required to achieve a particular goal when they develop a payload.

Red teams have a different set of challenges and opportunities that are often not conducive to developing tailored JavaScript payloads. Custom applications often have unknown functionality and require a generic payload. Red teams also have opportunities to introduce malicious JavaScript beyond XSS vulnerabilities.

A new open source tool (JS-Tap) will be introduced that is designed to allow red teamers to attack applications using generic JavaScript used as either a post exploitation implant or an XSS payload. When used as an XSS payload, JS-Tap uses a novel persistence technique called an iFrame trap to extend execution time.

JS-Tap captures sensitive data as users interact with the application including screenshots of pages visited and inputs entered by the user such as login credentials. Cookies and local storage are scraped, potentially disclosing sensitive session data. HTML content is also captured providing the application insight needed to develop targeted XSS payloads for future attacks.

Critically, the payload makes no requests to the application server itself.


1906 Deadwood Mountain Drive
Deadwood, SD 57732 United States
(605) 559-0386
View Venue Website
Drew Kirkpatrick headshot
Drew Kirkpatrick

Drew has 20 years of experience designing and building complex systems, including application security, network policy management, machine learning, and transit and aerospace systems. These days he works to improve Information Security by applying penetration testing and computer science to assess the security posture of TrustedSec clients. Before joining TrustedSec, he was a Security Researcher at NopSec and Secure Decisions as well as a Senior Computer Scientist for the U.S. Navy.

Offensive Security Certified Professional (OSCP)
GIAC Web Application Penetration Tester (GWAPT)
GIAC Mobile Device Security Analyst (GMOB)
M.S. Computer Science – Florida Institute of Technology
M.S. Computer Information Systems – Florida Institute of Technology
B.A. Psychology/Economics – St. Mary’s College of Maryland


Drew has developed and contributed to several open source projects, including OWASP Attack Surface Detector and various machine learning and penetration testing tool projects.

Drew’s love for building complex systems led to the discovery that he found tremendous joy in breaking complex systems—in a good way.