A Tale of an Unbreakable, Context-specific XSS Sanitizer

Presented at DeepSec 2014 „Do you want to know more?“, Unknown date/time (Unknown duration)

Cross-Site Scripting - `An epidemic` nowadays, developers' nightmare, but my love. This talk will present an unbreakable, context-specific (supports five common contexts i.e., HTML, script, attribute, URL and style), practical and easy to use XSS sanitizer. For HTML, script, attribute and style context, I only control 11 meta characters and for URL context, 3 regular expressions and `JOB DONE`. But before telling you that 78,000+ recorded XSS attack attempts were unable to bypass the sanitizer in five common contexts ... this talk will present context-aware XSS attack methodology and then I will show how I leverage the attack methodology for the development of an unbreakable sanitizer. In fact, I will demonstrate that by looking at the context-specific attack methodology (e.g., XSS attack methodology related to `style` context is a four step process), even a child can code this sanitizer. I will also share the logs of 78K+ XSS attack attempts. The timing, mutation, script-less, browser quirks and Unicode tricks fail here.

Presenters:

• Ashar Javed - Ruhr University Bochum
  Ashar Javed is a research assistant in Ruhr University Bochum, Germany and working towards his PhD. He has been listed ten (`X`) times in Google Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat. He spoke in the main security venues like Hack in the Box, DeepSec, OWASP Spain and OWASP Seminar@RSA Europe.

Links:

• https://deepsec.net/archive/2014.deepsec.net/speaker.html#PSLOT156
• https://infocon.org/cons/DeepSec/DeepSec 2014/A Tale of an Unbreakable, Context-specific XSS Sanitizer.mp4

Similar Presentations:

• DEF CON 20 (2012) / Blind XSS
• Black Hat Europe 2014 / Revisiting XSS Sanitization
• ShmooCon I (2005) / The Evils of XSS: Its not just for cookies anymore