Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

XSS Mitigation - The State of the Art

Security BSides San Francisco via YouTube

Overview

Explore the complexities of XSS attacks and mitigations in this comprehensive conference talk from BSidesSF 2022. Delve into essential topics such as CSPv3, Trusted Types, Strict Dynamic, CORP, and CORB to implement effective XSS defenses across multiple layers. Learn about the evolution of web security models, common bypass techniques, and specific vulnerabilities in Electron apps. Discover server-side rendering options, auto Content Security Policy implementation, and templating engine-level mitigations. Examine the role of Static Application Security Testing (SAST) and existing standard mitigations through security headers. Gain insights into the future of browser and server-side defenses, and understand XSS-specific risks in supply chain security. This talk equips you with the knowledge to create a robust, multi-layered approach to XSS mitigation in modern web applications.

Syllabus

Intro
Main XSS variants
Web security model: Same Origin Policy, 1995
Juicy targets: Electron apps
Most common bypasses
Disable JavaScript
Trusted Types
Cookies security
The future of browser defenses
Server Side Rendering options
Auto Content Security Policy for Server Side Rendering
Templating engines-level mitigations
Static Application Security Testing (SAST)
Existing standards mitigations overview (aka security headers soupe)
The future of server side mitigations
Battlecards: XSS threat model
Frameworks and associated risks
Supply chain security: XSS specific risks Remote dependencies can be tampered with
XSS defense in depth

Taught by

Security BSides San Francisco

Reviews

Start your review of XSS Mitigation - The State of the Art

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.