Libinjection: From SQLi to XSS Detection - New Algorithm Introduction

Explore a conference talk on the evolution of libinjection from SQL injection detection to cross-site scripting (XSS) prevention. Delve into the development of a new algorithm for detecting XSS attacks that, like its SQLi counterpart, avoids regular expressions, offers high speed and accuracy, and is freely available on GitHub. Learn about the semantic differences between SQLi and XSS from a defender's perspective, understand how the libinjection algorithm functions, and discover its current results and availability. Gain insights into HTML injection, JavaScript injection, sanitization techniques, and the challenges of XSS detection, including the complexities of HTML5 tokenization and browser-specific issues.

Intro
What's the Goal?
What is Libinjection?
Why libinjection?
Initial Attempt
Go Get It!
HTML Injection
These are attacks against the HTML tokenization algorithm.
Javascript Injection
Hard Problem
Use a HTML Purifier
Sanitization Functions
Regular Expressions
Web Browsers!
Opera
XSS Detection for The Future
Pick Your Battles Not Covering
Technique
Shifting the Problem
HTML5 Tokenization
Problematic Tokens
Yeah its a blacklist
XSS Cheatsheets
Attack / Scanners
IE Unbalanced Quote
Performance
Current Status 2014-01-27
What do you expect?