Defending Against Cross-Site Scripting (XSS) Vulnerabilities

Learn about defending against cross-site scripting (XSS) attacks in this 59-minute conference talk by Jason Montgomery. Explore the challenges faced by software developers in securing applications, including market forces and knowledge gaps. Understand different types of XSS attacks, injection points, and vulnerabilities through real-world examples like Twitter. Discover practical mitigation strategies such as encoding, whitelisting, and using Anti-XSS libraries. Gain insights into browser protection mechanisms and security maturity models. Watch a demonstration using Metasploit and Aurora, and leave with actionable takeaways to improve your application's security against XSS threats.

Intro
Software developers
Whos vulnerable
White Hat
Windows Exposure
Challenges to Secure Applications
Market Forces
Knowledge Gap
Constraints
Security maturity models
Crash tests
Software and security
Raise awareness and education
Prioritize
Top 10
Injection
Taxonomy
Types of XSS
Reflected Example
Context Matters
Injection Points
JavaScript
Crosssite scripting vulnerabilities
Twitter scripting vulnerabilities
Browser protection
Crosssite scripting
Takeaways
Injection Mitigation
Encoding
AntiXSS
Whitelisting
Unicode
Context
ModelController
Demo
Metasploit
Aurora
Screenshot
Takeaway