asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

More documents

Recommendations

Info

Bypasses in the wild• Using our existing infrastructure, we found … 1,602 DOM-based XSS vulnerabilities … on 958 domains• We enhanced our exploit generator to targetbypassable vulnerabilities Not targeting DOM bindings, second-order flows or alternativeattacks• Result: 776 of 958 domains susceptible to Auditorbypasses
Doing it the right way
Page 1 and 2: Client-Side ProtectionAgainst DOM-b
Page 3 and 4: Cross-Site Scriptinga.k.a. XSS (duh
Page 5 and 6: Bypassing the Same-Origin Policy•
Page 7 and 8: Types of XSSReflectedStoredServer
Page 9 and 10: Stopping XSS attacks• If you are
Page 11 and 12: Quick digression:finding a lot ofDO
Page 13 and 14: Results (many many cats XSS)• Ran
Page 15 and 16: How the XSS Auditor works• HTTP r
Page 17 and 18: Auditor Matching Rules (simplified)
Page 19 and 20: How the XSS Auditor works• HTTP r
Page 21 and 22: How to bypass the XSS Auditor• HT
Page 23 and 24: Avoiding AuditorInvocation
Page 26 and 27: String-matchingissuesCreate situati
Page 28 and 29: Trailing Content• Use existing co
Page 30 and 31: Double Injectionsvar urlhash = l
Page 34 and 35: The Auditor's problems• Problem #
Page 36 and 37: Exampleuserdata var userinput =
Page 38 and 39: Block policies• No tainted value
Page 40 and 41: False positives• Compatibility cr
Page 42 and 43: False positives• Compatibility cr
Page 44 and 45: What to take away?• XSS still is

asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?