Boring old XSS

During 2025 I was determined to understand what it meant to have persistence within a web environment. This led me down a massive rabbit hole… from navigation hooking to service worker attacks, I ventured forth. In the end, we managed not only to persist past navigation, but managed to persist our control over a victims browsing session even after browser close.

I had the opportunity to present the research output at the following conferences:

Bsides Cape Town
BlackHat MEA (Middle East and Africa)

Additionally, I posted a two part research article series:

Part 1 | Part 2

NOT DONE YET! Part of the research output was a C2 style tool that showcased the true potential for persistence within web environments:

https://github.com/MWR-CyberSec/BRAT

Who said XSS was simple?

Persistence or Snake-oil: Re-achieving Persistent XSS

Table of Contents

Boring old XSS