New Methods in Automated XSS Detection: Dynamic XSS Testing without Using Static Payloads

Presented at AppSec USA 2015, Sept. 25, 2015, 3 p.m. (55 minutes).

For the past 15+ years all major automated XSS detection methods rely on payloads. Payloads are static exploit strings with previously known variations of exploits and exploit syntaxes. This presentation shows examples dynamic methods that do not rely on payloads to figure out if an XSS vulnerability exists. Furthermore these methods can be extended to provide, for the first time, accurate Stored XSS detection and generate dynamic custom XSS exploits. This presentation will show the current well-known automated XSS detection methods and the short comings of using a static payload methodology. It will then describe a number of methods and techniques that are used to provide dynamic XSS analysis. Finally, it will demonstrate how to create dynamic custom XSS exploits based on the dynamic detection XSS method described earlier in the presentation.

Presenters:

• Ken Belva - Owner - XSS Warrior, LLC
  I'm an almost 20 year cyber security veteran. AppSecUSA 2015 presenter. :) Please speak with me about opportunities for my XSS tool xssWarrior as well as Pen Testing services.

Links:

• https://appsecusa2015.sched.com/event/3Vgd/new-methods-in-automated-xss-detection-dynamic-xss-testing-without-using-static-payloads
• https://infocon.org/cons/OWASP/AppSecUSA 2015/New Methods in Automated XSS Detection - Ken Belva.mp4

Similar Presentations:

• DEF CON 20 (2012) / Blind XSS
• ToorCon: Seattle 2011 / XSS Without the Browser
• Black Hat USA 2013 / The Web IS Vulnerable: XSS Defense on the BattleFront