Revisiting XSS Sanitization

Presented at Black Hat Europe 2014, Oct. 17, 2014, 11:45 a.m. (60 minutes).

The online WYSIWYG "What You See Is What You Get" editors or rich-text editors are nowadays an essential component of the web applications. They allow users of web applications to edit and enter HTML rich text (i.e., formatted text, images, links and videos etc) inside the web browser window.

This talk will first demonstrate how to break the top 25 online WYSIWYG editors powering thousands of web applications. We show XSS bypasses for top WYSIWYG editors like TinyMCE, Jive, Froala, CKEditor etc. We will share stories of how we were able to XSSed WYSIWYG editors of sites like Twitter, Yahoo Email, Amazon, GitHub, Magento, and CNET etc.

After breaking almost all WYSIWYG editors in the wild, this talk will present a sanitizer (very easy to use, effective and practical solution) which is based only on '11 chars + 3 regular expressions' and will show how it will safe you from an XSS in HTML, attribute, script (includes JSON context), style and URL contexts.


Presenters:

  • Ashar Javed - Ruhr University Bochum, Germany
    Ashar Javed is a Research Assistant at Ruhr University Bochum, Germany and is working towards his PhD. He has been listed ten (`X`) times on the Google Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat. He has spoken at security conferences like Hack in the Box, DeepSec and OWASP Seminar@RSA Europe.

Links:

Similar Presentations: