asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

More documents

Recommendations

Info

The Auditor's problems• Problem #1: approximation of data flow string matching• Problem #2: HTML parser after all, XSS is JavaScript injection• Problem #3: Never designed to tackle client-sideXSS let's fix that
Our proposed solution• Approximation unnecessarily imprecise for localflows we can use taint tracking instead• Position inside JavaScript parser after all, XSS is JavaScript injection• XSS: data is interpreted as code "data" in JavaScript: Literals (Numeric, String, Boolean)• è Only allow tainted data to generate Literals
Page 1 and 2: Client-Side ProtectionAgainst DOM-b
Page 3 and 4: Cross-Site Scriptinga.k.a. XSS (duh
Page 5 and 6: Bypassing the Same-Origin Policy•
Page 7 and 8: Types of XSSReflectedStoredServer
Page 9 and 10: Stopping XSS attacks• If you are
Page 11 and 12: Quick digression:finding a lot ofDO
Page 13 and 14: Results (many many cats XSS)• Ran
Page 15 and 16: How the XSS Auditor works• HTTP r
Page 17 and 18: Auditor Matching Rules (simplified)
Page 19 and 20: How the XSS Auditor works• HTTP r
Page 21 and 22: How to bypass the XSS Auditor• HT
Page 23 and 24: Avoiding AuditorInvocation
Page 26 and 27: String-matchingissuesCreate situati
Page 28 and 29: Trailing Content• Use existing co
Page 30 and 31: Double Injectionsvar urlhash = l
Page 32 and 33: Bypasses in the wild• Using our e
Page 36 and 37: Exampleuserdata var userinput =
Page 38 and 39: Block policies• No tainted value
Page 40 and 41: False positives• Compatibility cr
Page 42 and 43: False positives• Compatibility cr
Page 44 and 45: What to take away?• XSS still is

asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?