BSides Canberra 2026

Animesh Acharya

Animesh is a Senior Security Consultant working at Tanto Security. He is interested in web security research and also does Bug Bounties. You can get in touch with him on LinkedIn at https://www.linkedin.com/in/an1msh/


Session

09-25
13:30
180min
Escalating XSS into session hijacking in modern SSO ecosystems
Animesh Acharya

Finding an XSS and getting alert(1) to fire is one thing. Turning it into something a program or a client treats as high impact is another, and often the trickier part. A reflected or stored XSS on a subdomain that holds no session, or an XSS you can only trigger on yourself, is easy to set aside as low severity.

Modern applications, though, are rarely a single site. They are ecosystems tied together by shared single sign-on, OAuth, parent-domain cookies, CDN caches, and postMessage. Once you understand how those pieces fit together, an XSS almost anywhere on an origin can often be escalated into a one-click account takeover of the main application.

Over the last couple of years I have reported a number of these escalations to bug bounty programs, taking reflected, stored, DOM, and self XSS and chaining them into session hijacking. This workshop walks through how that is done, using a lab built from those findings. It is aimed at testers and bug bounty hunters who can already find XSS and want to learn how to take it further. This workshop will leave you with a set of techniques, a sense of which one fits a given situation, and the confidence to build your own session hijacking chains.

Event Track
Murray-Fitzroy Room