asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

More documents

Recommendations

Info

Bypassing the<strong>XSS</strong>Auditor
How the <strong>XSS</strong> Auditor works• HTTP response is parsed• Auditor invoked if dangerousHTML construct is encountered Only during initial parsing process Only if certain chars are in the request (," and ')• HTTP request is checked for existence ofconstruct Matching algorithm depends on HTML construct• If match is found, payload is "neutered"
Page 1 and 2: Client-Side ProtectionAgainst DOM-b
Page 3 and 4: Cross-Site Scriptinga.k.a. XSS (duh
Page 5 and 6: Bypassing the Same-Origin Policy•
Page 7 and 8: Types of XSSReflectedStoredServer
Page 9 and 10: Stopping XSS attacks• If you are
Page 11 and 12: Quick digression:finding a lot ofDO
Page 13: Results (many many cats XSS)• Ran
Page 17 and 18: Auditor Matching Rules (simplified)
Page 19 and 20: How the XSS Auditor works• HTTP r
Page 21 and 22: How to bypass the XSS Auditor• HT
Page 23 and 24: Avoiding AuditorInvocation
Page 26 and 27: String-matchingissuesCreate situati
Page 28 and 29: Trailing Content• Use existing co
Page 30 and 31: Double Injectionsvar urlhash = l
Page 32 and 33: Bypasses in the wild• Using our e
Page 34 and 35: The Auditor's problems• Problem #
Page 36 and 37: Exampleuserdata var userinput =
Page 38 and 39: Block policies• No tainted value
Page 40 and 41: False positives• Compatibility cr
Page 42 and 43: False positives• Compatibility cr
Page 44 and 45: What to take away?• XSS still is

asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?