Overview
Syllabus
Intro
Welcome
Whos here
Agenda
Crosssite scripting
Crosssite scripting types
Looking at the past
Cert Advisory
Web Security
HTML Entities
HTTP Only Cookies
Advanced Attacks
Trust
Two tools
Trustworthy scripting
XSS worms
Sammyswarm
Wade Alcorn
We need new tools
HTML is complex and grows
There are so many XSS tools
Cases
Bypasses
Maybe XSS is dead
The tools we have
Academia is always busy
Other kinds of fix success
Mind sniffing crosssite scripting
Adobe Reader bug
Stronger tools
CSP
CDNs
CSPs
More tools
Content sanitization
Trust crumbling
We forgot the seatbelt
We are the color restriction
Its about money
We now have
Why dont we kill
Legacy system
We keep finding excuses
We cant fix XSS
I dont think its management
I would lose a lot of money
What do we actually want
Thats a good sign
Whats next
Do we need more
SEC metadata
Google Scholar
Motivation
Punishment
Responsibility
Stop the buck finish
Fix bounties
The glorification goes overboard
Doctor please
Solutions
Start being honest
Lets start panel
Crosssite scripting is dead
We are in a very good position
Questions
Taught by
OWASP Foundation