Explore new methods in automated XSS detection without relying on static payloads in this 41-minute conference talk from AppSecUSA 2015. Delve into dynamic techniques for identifying XSS vulnerabilities, including accurate Stored XSS detection and generation of custom XSS exploits. Compare current automated XSS detection methods with their limitations to innovative dynamic analysis approaches. Learn how to create dynamic custom XSS exploits based on the presented detection methods. Gain insights into various techniques such as payload slam, signature bass, string transformation, unique slugs, and the sandwich method. Examine real-life examples, browser considerations, and key takeaways for practical implementation. Cover input/output handling, GET/POST requests, DOM manipulation, and dynamic payload generation. Conclude with guidance on deploying these advanced XSS detection strategies in your security practices.
New Methods in Automated XSS Detection - Dynamic Testing Without Static Payloads
Overview
Syllabus
Introduction
Overview
State of Automated XSS Detection
Key Idea
History
Different Syntax
Techniques
Payload Slam
Signature Bass
completeness
string transformation
unique slugs
sandwich method
detection logic
trace
real life example
browser considerations
key takeaways
practice
input output
getpost
dom
dynamic
dynamic payload
dynamic exploit
bash shell
should deploy
Taught by
OWASP Foundation
