Aren't Cross Site Scripting vulnerabilities lame? All they can do is display annoying popups that say 'xss' in them. Oh, and hijack your HTTP sessions... and detect every website you have visited... and port scan and fingerprint your internal network... and reconfigure your routers... and brute force usernames and passwords... and capture all the words you search Google for. And I almost forgot, they can self propagate too. Wait, maybe XSS isn't so lame after all. This presentation will examine all the nasty things JavaScript can do that most people don't know about. What's that? The masses desire the sweet taste of 0-day? No problem. I'll give a live demo of Jikto, a complete web application vulnerability scanner written entirely in JavaScript. Jikto silently crawls and audits any public website and sends the results to a 3rd party. Jikto can be embedded into any website or XSS payload turning website visitors into accomplices that will scan and attack webservers on the Internet.