asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)
asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)
asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
How the <strong>XSS</strong> Auditor works• HTTP response is parsed• Auditor invoked if dangerousHTML construct is encountered Only during initial parsing process Only if certain chars are in the request (," and ')InvocationMatching• HTTP request is checked for existence ofconstruct Matching algorithm depends on HTML constructBlocking• If match is found, payload is "neutered"