Ethan Havinga

Security Consultant

MWRCyberSec

Ethan Havinga is a Cybersecurity consultant at MWRCyberSec based in South Africa where he has worked for the last 2 years. He specializes in application security, and is also part of the cybersecurity tabletop team and research team.

Speaker sessions

Persistence or Snake-Oil?: Re-achieving persistent XSS

Tired of Googling persistent XSS and being swamped with Stored XSS write-ups? Lets take a dive into what persistent XSS really means and how modern browsers try to prevent us from achieving it.Modern web applications have outpaced traditional Cross-Site Scripting (XSS) techniques like stored XSS and iFrame traps, which falter against page navigation, X-Frame-Options headers, Content Security Policy, and EDR/AV detection. This hands-on bootcamp explores why true persistent XSS is a complex challenge and introduces BRAT (Browser Remote Access Tool), a new open-source framework built to address these modern barriers.We dive into the persistence problem, examining why simple framing no longer suffices in today’s browsers. Legacy tools like BeEF, while pioneering, rely on methods less effective against current browser standards and APIs. BRAT builds on BeEF’s persistence foundation but integrates modern technologies, such as advanced DOM manipulation and lightweight payloads, to ensure stability and bypass defenses. BRAT also introduces unique attacks, like live remote view, for real-time monitoring of infected web applications.This session analyses legacy tool limitations and showcases BRAT’s Command-and-Control functionality for red/purple team engagements. A live demo on a simulated banking app will highlight BRAT’s innovative features, including its remote-view capability, and demonstrate its real-world impact. Attendees will understand why persistence remains a tough problem, how BRAT redefines XSS exploitation, and why older approaches fall short, gaining a modern mental model for advanced attacks. Join us to rethink XSS and build on the legacy of tools like BeEF.