Unraveling some of the Mysteries around DOM-based XSS ...
Unraveling some of the Mysteries around DOM-based XSS
@ AppSec USA 2012 ? Austin, TX
Dave Wichers Aspect Security, COO OWASP Board Member OWASP Top 10 Project Lead
dave.wichers@
Me ? Dave Wichers
COO / Cofounder ? Aspect Security
~25 Years in Application Security Consulting OWASP Board Member, Top 10 Lead, ASVS Coauthor Code Review / Pen Tested 100s of Applications Taught 100s of Secure Coding Courses
Aspect Security ()
Application Security Consulting
Application Code Review / Pen Testing Secure Coding Training (Live, Virtual) Secure Development Lifecycle Process Improvement
Products
Contrast ? Vulnerability Detection through Application Monitoring for JavaEE
eLearning ? over 50 eLearning modules
Cross-Site Scripting (XSS) ? Example
User input is often reflected back to user.
alert(document.cookie)
Site reflects script back to user where it executes, displaying session cookie in popup.
XSS ? Terminology
XSS Types (Current Terminology) Type 2: Stored XSS (aka Persistent) Type 1: Reflected XSS (aka non-Persistent) Type 0: DOM-Based XSS Sources: (XSS)
Site Scripting
"There's also a third kind of XSS attacks - the ones that do not rely on sending the malicious data to the server in the first place!" Amit Klein ? Discoverer of DOM-Based XSS "DOM-based vulnerabilities occur in the content processing stage performed on the client, typically in client-side JavaScript." ?
4
XSS Types ? Illustrated
Sent Message: Message Body:
1: DOM-Based Reflected XSS
Bob What's for dinner? alert(1)
User Input
JavaScript Form
Bob What's for dinner? alert(1)
4: Stored XSS (via AJAX Message Retrieval)
3: Reflected XSS (via AJAX Request/Response)
Store Message on Server
2: DOM-Based Stored XSS
HTML 5 Local Storage
5
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- Ръст на наетите офиси и по малко проекти в строеж
- Лятната ваканция е любима за 73 от българите сочат данни
- cross site scripting analysis identification and
- xss guard precise dynamic prevention of cross site
- injections attacks html sql xss
- xss cross site scripting
- unraveling some of the mysteries around dom based xss
- websecurity angriffe mit ssrf csrf und xml shortcuts 165
- cross site scripting xss exploits defenses
- why xss is bad and named that
Related searches
- turn the question around strategy
- thickening of the lining around the heart
- weird mysteries of the world
- strange mysteries of the world
- bizarre mysteries of the world
- creepy mysteries of the world
- real mysteries of the world
- scariest mysteries of the world
- greatest mysteries of the world
- some of all fears
- some of all fears cast
- list of different cultures around the world