XSS mitigation: the state of the art

Presented at BSidesSF 2022 Rescheduled, June 5, 2022, 4:30 p.m. (50 minutes)

XSS attacks and mitigations are complex. Between CSPv3, Trusted Types, Strict Dynamic, CORP, and CORB, it's a lot to take in. In this talk, we'll cover what you need to know in order to implement efficient XSS defences at every layer.

Presenters:

• Vladimir de Turckheim - Datadog
  Vladimir (he/him) is a software engineer focusing on Application Security at Datadog. He has been working on Node.js security for 5 years and now focuses on Web quality and security at large. Vladimir is in charge of the Node.js bug bounty program.
• Jean-Baptiste Aviat - Datadog
  Jean-Baptiste Aviat is AppSec staff engineer at Datadog, former CTO and co-founder at Sqreen. He spent half a decade hunting security bugs at Apple, helping developers fix them, and developing protections used by millions of devices. He's the host of the appsecbuilders.com podcast. Prior to Apple, Jb was a full-stack, white-hat hacker for a consulting company, developing numerous security tools in whatever language he needed to hack into.

Links:

• https://bsidessf2022.sched.com/event/rjrC/xss-mitigation-the-state-of-the-art

Similar Presentations:

• AppSec USA 2015 / New Methods in Automated XSS Detection: Dynamic XSS Testing without Using Static Payloads
• DEF CON 20 (2012) / Blind XSS
• LocoMocoSec 2019 / Trusted types & the end of DOM XSS