Call to Arms - A Tale of the Weaknesses of Current Client-Side XSS Filtering

Explore the critical vulnerabilities in client-side XSS filtering through this comprehensive Black Hat conference talk. Delve into an in-depth analysis of Chrome's XSS Auditor, uncovering 17 flaws that enable bypassing its filtering capabilities. Learn about a tool for automatically generating XSS attacks that exploit these vulnerabilities. Examine the results of a practical, empirical study testing the Auditor's protection capabilities against thousands of DOM-based zero-day XSS vulnerabilities in top websites. Discover how the XSS filter was successfully bypassed on the first attempt in over 80% of vulnerable web applications. Gain insights into potential future improvements for client-side XSS filtering based on the presenters' analysis and experiences in bypass generation. Enhance your understanding of web security and stay ahead of emerging threats in this 55-minute presentation by Martin Johns, Ben Stock, and Sebastian Lekies.