Explore a comprehensive analysis of client-side protection against DOM-based Cross-Site Scripting (XSS) in this Black Hat conference talk. Delve into the limitations of current browser-based XSS filters, particularly Chrome's XSS Auditor, as the speakers reveal 17 flaws enabling filter bypasses. Learn about a tool for automatically generating XSS attacks that exploit these vulnerabilities. Examine the results of an empirical study testing these attacks against thousands of zero-day XSS vulnerabilities in top websites, demonstrating the inadequacy of existing client-side defenses. Discover an innovative alternative XSS filter design utilizing client-side taint tracking in the JavaScript engine, offering more robust protection against DOM-XSS attacks. Gain valuable insights into improving web application security and safeguarding end-users from this pervasive threat.
Client-Side Protection Against DOM-Based XSS Done Right
Overview
Syllabus
Client-Side Protection Against DOM-Based XSS Done Right (tm)
Taught by
Black Hat
Related Courses
-
Client-Side Protection Against DOM-Based XSS Done Right
-
Web Application Penetration Testing: Client-side Testing
-
Call to Arms - A Tale of the Weaknesses of Current Client-Side XSS Filtering
-
Ultimate Dom Based XSS Detection Scanner on Cloud
-
Enhancing ReactJS Application Security: Cross-Site Scripting and Client-Side Defense
-
Locking the Throne Room - ECMA Script 5, a Frozen DOM and the Eradication of XSS
