Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Bypassing XSS Mitigations Via Script Gadgets - AppSec EU 2017

OWASP Foundation via YouTube

Overview

Explore a novel web hacking technique that bypasses XSS mitigations through script gadgets in this 47-minute conference talk from AppSec EU 2017. Learn how attackers can abuse legitimate JavaScript code to execute malicious scripts, even in the presence of HTML sanitizers and Content Security Policy. Discover real-world examples of script gadgets in popular JavaScript libraries, APIs, and applications. Examine the process of injecting benign elements that match gadget selectors, leading to unintended script execution. Gain insights into the limitations of current XSS prevention methods and understand the potential risks associated with this technique. Delve into specific examples, including gadgets in Knockout.js and expression parsers, to better comprehend the mechanics of this attack vector. Conclude with a summary of the implications and potential future developments in this area of web security.

Syllabus

Intro
XSS mitigations
Selectors in Frameworks
Selectors - Example
XSS Example
Research
Results sneak peek
Example gadgets
Example: Knockout
Simple Script Gadgets
Gadgets in expression parsers
Bypassing mitigations with gadgets
Caveats
Summary
Outlook & Conclusion

Taught by

OWASP Foundation

Reviews

Start your review of Bypassing XSS Mitigations Via Script Gadgets - AppSec EU 2017

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.