Explore the history, evolution, and current state of Cross-Site Scripting (XSS) vulnerabilities in this provocative keynote address from OWASP AppSec EU 2018. Delve into the origins of XSS dating back to 1998, examining past attempts to mitigate the issue and their subsequent failures. Analyze how web infrastructure and monetization have contributed to the persistence of XSS, drawing parallels to other human failures. Gain insights into potential future developments and industry-wide challenges in addressing this long-standing security concern. Evaluate the effectiveness of various tools, techniques, and approaches used to combat XSS, including Content Security Policy (CSP), sanitization, and bug bounty programs. Reflect on the broader implications for web security and the responsibilities of developers, organizations, and the security community in tackling persistent vulnerabilities.
Overview
Syllabus
Intro
Welcome
Whos here
Agenda
Crosssite scripting
Crosssite scripting types
Looking at the past
Cert Advisory
Web Security
HTML Entities
HTTP Only Cookies
Advanced Attacks
Trust
Two tools
Trustworthy scripting
XSS worms
Sammyswarm
Wade Alcorn
We need new tools
HTML is complex and grows
There are so many XSS tools
Cases
Bypasses
Maybe XSS is dead
The tools we have
Academia is always busy
Other kinds of fix success
Mind sniffing crosssite scripting
Adobe Reader bug
Stronger tools
CSP
CDNs
CSPs
More tools
Content sanitization
Trust crumbling
We forgot the seatbelt
We are the color restriction
Its about money
We now have
Why dont we kill
Legacy system
We keep finding excuses
We cant fix XSS
I dont think its management
I would lose a lot of money
What do we actually want
Thats a good sign
Whats next
Do we need more
SEC metadata
Google Scholar
Motivation
Punishment
Responsibility
Stop the buck finish
Fix bounties
The glorification goes overboard
Doctor please
Solutions
Start being honest
Lets start panel
Crosssite scripting is dead
We are in a very good position
Questions
Taught by
OWASP Foundation
