Explore the critical vulnerabilities in client-side XSS filtering through this comprehensive Black Hat conference talk. Delve into an in-depth analysis of Chrome's XSS Auditor, uncovering 17 flaws that enable bypassing its filtering capabilities. Learn about a tool for automatically generating XSS attacks that exploit these vulnerabilities. Examine the results of a practical, empirical study testing the Auditor's protection capabilities against thousands of DOM-based zero-day XSS vulnerabilities in top websites. Discover how the XSS filter was successfully bypassed on the first attempt in over 80% of vulnerable web applications. Gain insights into potential future improvements for client-side XSS filtering based on the presenters' analysis and experiences in bypass generation. Enhance your understanding of web security and stay ahead of emerging threats in this 55-minute presentation by Martin Johns, Ben Stock, and Sebastian Lekies.
Call to Arms - A Tale of the Weaknesses of Current Client-Side XSS Filtering
Overview
Syllabus
Call To Arms: A Tale of the Weaknesses of Current Client-Side XSS Filtering
Taught by
Black Hat
Related Courses
-
Web Application Penetration Testing: Client-side Testing
-
Client-Side Protection Against DOM-Based XSS Done Right
-
Client-Side Protection Against DOM-Based XSS Done Right
-
Breaking XSS Mitigations Via Script Gadgets
-
XS Leaks - Client-Side Attacks in a Post-XSS World
-
Ultimate Dom Based XSS Detection Scanner on Cloud
