asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

More documents

Recommendations

Info

DOM-based / Client-Side XSS• Flaws in client-side code Data from attacker-controlled sourceflows to security-sensitive sink Eventually, attacker-controlled datais interpreted as code var name = location.hash.slice(1)); document.write("Hello " + name); • Detection of client-side XSS Dynamic analysis: use taint tracking Commercial product DOMinator Static analysis: no idea, we don't do static analysis J
Stopping XSS attacks• If you are the application’s owner: Don’t use user-provided data in an unencoded/unfiltered way Use secure frameworks or other magic Use Content Security Policy, sandboxed iframes, …
Page 1 and 2: Client-Side ProtectionAgainst DOM-b
Page 3 and 4: Cross-Site Scriptinga.k.a. XSS (duh
Page 5 and 6: Bypassing the Same-Origin Policy•
Page 7: Types of XSSReflectedStoredServer
Page 11 and 12: Quick digression:finding a lot ofDO
Page 13 and 14: Results (many many cats XSS)• Ran
Page 15 and 16: How the XSS Auditor works• HTTP r
Page 17 and 18: Auditor Matching Rules (simplified)
Page 19 and 20: How the XSS Auditor works• HTTP r
Page 21 and 22: How to bypass the XSS Auditor• HT
Page 23 and 24: Avoiding AuditorInvocation
Page 26 and 27: String-matchingissuesCreate situati
Page 28 and 29: Trailing Content• Use existing co
Page 30 and 31: Double Injectionsvar urlhash = l
Page 32 and 33: Bypasses in the wild• Using our e
Page 34 and 35: The Auditor's problems• Problem #
Page 36 and 37: Exampleuserdata var userinput =
Page 38 and 39: Block policies• No tainted value
Page 40 and 41: False positives• Compatibility cr
Page 42 and 43: False positives• Compatibility cr
Page 44 and 45: What to take away?• XSS still is

asia-15-Johns-Client-Side-Protection-Against-DOM-Based-XSS-Done-Right-(tm)

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?