Asynchronous Cross Site Scripting - Silent But Deadly

Ricardo Almeida

Hunting for asynchronous vulnerabilities in web applications, namely Asynchronous Cross Site Scripting, is always a difficult task since you don’t know where your payload will end up. You don’t even know whether it will even be triggered (or when). You can use the amazing Burp Suite Professional Collaborator to tackle these vulnerabilities, but if you are on a budget, you can always fall back to tools like XSS.IO, XSS hunter or even Netflix’s Sleepy Puppy that are available for free. Using ready made tools is always a time saver, however building your own tools is a lot more fun :)
I will try to take you on a DIY journey into building a simple yet efective asynchronous cross site scripting detection and exploitation tool that you can use on your daily work or get you that coveted bug bounty reward you always wanted.


Currently working as a Security Engineer @Jumia. InfoSec enthusiast that loves a good movie and play World of Tanks MMO.
Google’s Vulnerability Reward Program (VRP) recipient in 2015 and CERT-EU Security Wall of Fame in 2016.
Incidentally, I also own two security related certifications: OSCP and CEH.