asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

More documents

Recommendations

Info

Finding and exploiting DOMXSSvulnerabilities automatically at scale• byte-level taint tracking in Chromium each character in a string has its source informationattached to it• Chrome crawling extension also the interface between taint engine andcentral server• An exploit generator Taint information + HTML/JavaScript syntax rules Generates exploits automatically
Results (many many cats XSS)• Ran experiment against Alexa Top 10k Found a total of 1,602 unique vulnerabilities .. On 958 domains• Auditor turned off at that point Vulnerability exists even if caught• Reran experiment with Auditor Auditor did not catch all exploits Conducted in-depth analysis into the WHY
Page 1 and 2: Client-Side ProtectionAgainst DOM-b
Page 3 and 4: Cross-Site Scriptinga.k.a. XSS (duh
Page 5 and 6: Bypassing the Same-Origin Policy•
Page 7 and 8: Types of XSSReflectedStoredServer
Page 9 and 10: Stopping XSS attacks• If you are
Page 11: Quick digression:finding a lot ofDO
Page 15 and 16: How the XSS Auditor works• HTTP r
Page 17 and 18: Auditor Matching Rules (simplified)
Page 19 and 20: How the XSS Auditor works• HTTP r
Page 21 and 22: How to bypass the XSS Auditor• HT
Page 23 and 24: Avoiding AuditorInvocation
Page 26 and 27: String-matchingissuesCreate situati
Page 28 and 29: Trailing Content• Use existing co
Page 30 and 31: Double Injectionsvar urlhash = l
Page 32 and 33: Bypasses in the wild• Using our e
Page 34 and 35: The Auditor's problems• Problem #
Page 36 and 37: Exampleuserdata var userinput =
Page 38 and 39: Block policies• No tainted value
Page 40 and 41: False positives• Compatibility cr
Page 42 and 43: False positives• Compatibility cr
Page 44 and 45: What to take away?• XSS still is

asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

Create successful ePaper yourself

Delete template?

Save as template?