Overview
Explore a comprehensive conference talk from AppSecEU 2015 in Amsterdam, where Martin Johns, Sebastian Lekies, and Ben Stock delve into client-side protection against DOM-based XSS attacks. Learn about the Same Origin Policy, XSS vulnerability types, and the specifics of DOM-based XSS. Discover effective methods to stop cross-site scripting attacks, including automated expert generators and the XSS auditor. Examine real-world testing scenarios using Alexa top 10000 domains and understand the challenges of disabling and testing XSS auditors. Gain insights into preventing XSS auditor bypasses, performance considerations, and string matching issues. Watch a demo showcasing solutions, examples, and potential false negatives and positives. Conclude with performance results and key takeaways for implementing robust client-side protection against DOM-based XSS vulnerabilities.
Syllabus
Introduction
Overview
Slides
Same Origin Policy
XSS vulnerability
XSS Types
What is DOMBase
How to stop XS attacks
Clients XSS
Automated expert generator
Alexa top 10000 domains
Disabling the XSS auditor
Testing the XSS auditor
Crosssite scripting attack
Inline scripts
Attributes
External Content
Preventing the XSS Auditor
Performance
Avoiding invocation
String matching issues
Partial injections
Trailing content
Demo
Solution
Example
False Negatives
False Positives
Performance Results
Conclusion
Taught by
OWASP Foundation