In this talk i’m going to explain in detail a new technique to achieve javascript code persistence in web applications from devices using the Bacnet protocol (building automation) in the underlying device protocol/web app arquitecture. A remote attacker is able to inject javascript code in the Bacnet device abusing the read/write properties from the Bacnet protocol itself, the code is going to be stored in the Bacnet database helping the attacker to achieve persistence in the victim …