- Joined
- 11 yrs. 6 mth. 27 days
- Messages
- 5,381
- Reaction score
- 18,380
- Age
- 45
- Wallet
- 11,590$
- [email protected]
• XSS Intro
• What is it?
• Real-world compromise of Apache.org
• XSS Remediation
• Strategic vs. Tactical
• When you can’t fix the code
• XSS Street-Fight
• Input Validation
− Whitelist Filtering
− Blacklist Filtering
− Generic Attack Payload Detection
• Identify Output Handling Flaws
− Missing output escaping of user-supplied content
• Application Response Profiling
− Track the # of scripts/iframes in pages
• Defensive JS Injection
− JS Sandbox
• Conclusion/Questions
• What is it?
• Real-world compromise of Apache.org
• XSS Remediation
• Strategic vs. Tactical
• When you can’t fix the code
• XSS Street-Fight
• Input Validation
− Whitelist Filtering
− Blacklist Filtering
− Generic Attack Payload Detection
• Identify Output Handling Flaws
− Missing output escaping of user-supplied content
• Application Response Profiling
− Track the # of scripts/iframes in pages
• Defensive JS Injection
− JS Sandbox
• Conclusion/Questions