Presented at
DeepSec 2014 „Do you want to know more?“,
Unknown date/time
(Unknown duration).
Cross-Site Scripting - `An epidemic` nowadays, developers' nightmare, but my love. This talk will present an unbreakable, context-specific (supports five common contexts i.e., HTML, script, attribute, URL and style), practical and easy to use XSS sanitizer. For HTML, script, attribute and style context, I only control 11 meta characters and for URL context, 3 regular expressions and `JOB DONE`.
But before telling you that 78,000+ recorded XSS attack attempts were unable to bypass the sanitizer in five common contexts ... this talk will present context-aware XSS attack methodology and then I will show how I leverage the attack methodology for the development of an unbreakable sanitizer. In fact, I will demonstrate that by looking at the context-specific attack methodology (e.g., XSS attack methodology related to `style` context is a four step process), even a child can code this sanitizer. I will also share the logs of 78K+ XSS attack attempts. The timing, mutation, script-less, browser quirks and Unicode tricks fail here.
Presenters:
-
Ashar Javed
- Ruhr University Bochum
Ashar Javed is a research assistant in Ruhr University Bochum, Germany and working towards his PhD. He has been listed ten (`X`) times in Google Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat. He spoke in the main security venues like Hack in the Box, DeepSec, OWASP Spain and OWASP Seminar@RSA Europe.
Links:
Similar Presentations: