asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

More documents

Recommendations

Info

Auditor Matching Rules (simplified)Referencing external content• • • Matching rule … check if tag name … and the complete attribute is contained in the request
How the <strong>XSS</strong> Auditor works• HTTP response is parsed• Auditor invoked if dangerousHTML construct is encountered Only during initial parsing process Only if certain chars are in the request (," and ')InvocationMatching• HTTP request is checked for existence ofconstruct Matching algorithm depends on HTML constructBlocking• If match is found, payload is "neutered"
Page 1 and 2: Client-Side ProtectionAgainst DOM-b
Page 3 and 4: Cross-Site Scriptinga.k.a. XSS (duh
Page 5 and 6: Bypassing the Same-Origin Policy•
Page 7 and 8: Types of XSSReflectedStoredServer
Page 9 and 10: Stopping XSS attacks• If you are
Page 11 and 12: Quick digression:finding a lot ofDO
Page 13 and 14: Results (many many cats XSS)• Ran
Page 15 and 16: How the XSS Auditor works• HTTP r
Page 17: Auditor Matching Rules (simplified)
Page 21 and 22: How to bypass the XSS Auditor• HT
Page 23 and 24: Avoiding AuditorInvocation
Page 26 and 27: String-matchingissuesCreate situati
Page 28 and 29: Trailing Content• Use existing co
Page 30 and 31: Double Injectionsvar urlhash = l
Page 32 and 33: Bypasses in the wild• Using our e
Page 34 and 35: The Auditor's problems• Problem #
Page 36 and 37: Exampleuserdata var userinput =
Page 38 and 39: Block policies• No tainted value
Page 40 and 41: False positives• Compatibility cr
Page 42 and 43: False positives• Compatibility cr
Page 44 and 45: What to take away?• XSS still is

asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

Create successful ePaper yourself

Delete template?

Save as template?