asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

More documents

Recommendations

Info

Auditor Matching Rules (simplified)Inline Scripts• alert(1) • Matching rule Check whether content of script is contained in therequest ... skipping initial comments and whitespaces ... only up to 100 characters ... stops if "terminating character" is encountered(#, ?, //, ..
Auditor Matching Rules (simplified)HTML attributes• Event handlers • Attributes with JavaScript URLs • For each parsed attribute ... check if the attribute contains a JavaScript URL … or whether the attribute is an event handler If so, check if the complete attribute is contained in therequest
Page 1 and 2: Client-Side ProtectionAgainst DOM-b
Page 3 and 4: Cross-Site Scriptinga.k.a. XSS (duh
Page 5 and 6: Bypassing the Same-Origin Policy•
Page 7 and 8: Types of XSSReflectedStoredServer
Page 9 and 10: Stopping XSS attacks• If you are
Page 11 and 12: Quick digression:finding a lot ofDO
Page 13 and 14: Results (many many cats XSS)• Ran
Page 15: How the XSS Auditor works• HTTP r
Page 19 and 20: How the XSS Auditor works• HTTP r
Page 21 and 22: How to bypass the XSS Auditor• HT
Page 23 and 24: Avoiding AuditorInvocation
Page 26 and 27: String-matchingissuesCreate situati
Page 28 and 29: Trailing Content• Use existing co
Page 30 and 31: Double Injectionsvar urlhash = l
Page 32 and 33: Bypasses in the wild• Using our e
Page 34 and 35: The Auditor's problems• Problem #
Page 36 and 37: Exampleuserdata var userinput =
Page 38 and 39: Block policies• No tainted value
Page 40 and 41: False positives• Compatibility cr
Page 42 and 43: False positives• Compatibility cr
Page 44 and 45: What to take away?• XSS still is

asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?