XSS Mitigation - The State of the Art

Explore the complexities of XSS attacks and mitigations in this comprehensive conference talk from BSidesSF 2022. Delve into essential topics such as CSPv3, Trusted Types, Strict Dynamic, CORP, and CORB to implement effective XSS defenses across multiple layers. Learn about the evolution of web security models, common bypass techniques, and specific vulnerabilities in Electron apps. Discover server-side rendering options, auto Content Security Policy implementation, and templating engine-level mitigations. Examine the role of Static Application Security Testing (SAST) and existing standard mitigations through security headers. Gain insights into the future of browser and server-side defenses, and understand XSS-specific risks in supply chain security. This talk equips you with the knowledge to create a robust, multi-layered approach to XSS mitigation in modern web applications.

Intro
Main XSS variants
Web security model: Same Origin Policy, 1995
Juicy targets: Electron apps
Most common bypasses
Disable JavaScript
Trusted Types
Cookies security
The future of browser defenses
Server Side Rendering options
Auto Content Security Policy for Server Side Rendering
Templating engines-level mitigations
Static Application Security Testing (SAST)
Existing standards mitigations overview (aka security headers soupe)
The future of server side mitigations
Battlecards: XSS threat model
Frameworks and associated risks
Supply chain security: XSS specific risks Remote dependencies can be tampered with
XSS defense in depth