YoVDO

Don't Trust the DOM - Bypassing XSS Mitigations via Script Gadgets

Offered By: OWASP Foundation via YouTube

Tags

Conference Talks Courses Cross-Site Scripting (XSS) Courses Content Security Policy (CSP) Courses

Course Description

Overview

Explore a novel web hacking technique that bypasses most XSS mitigations in this 42-minute conference talk from OWASP BeNeLux Day. Delve into the concept of script gadgets, legitimate JavaScript pieces that can be exploited to circumvent HTML sanitizers and security policies. Examine case studies and real-world examples demonstrating the inadequacy of current mitigation techniques for modern applications. Learn about the prevalence of these gadgets in popular JavaScript libraries, APIs, and applications. Understand the methodology behind bypassing Web Application Firewalls, XSS filters, HTML sanitizers, and various Content Security Policy implementations. Analyze empirical study results, root causes, and challenges associated with script gadgets. Gain insights into the need for more preventive mechanisms in web security and the limitations of current XSS mitigations.

Syllabus

Intro
OWASP Agenda
OWASP Cross-Site-Scripting (XSS) primer
OWASP Isn't XSS a solved problem?
OWASP How do mitigations work?
OWASP Modern Applications - Example
OWASP What are Script Gadgets?
OWASP Attacker model
OWASP Methodology
OWASP Bypassing WAFS & XSS filters
OWASP Bypassing HTML sanitizers
OWASP Bypassing Content Security Policy
OWASP Bypassing CSP strict dynamic
OWASP Gadgets in expression parsers
OWASP Empirical Study
OWASP Research Questions
OWASP Script Gadgets in user land code
OWASP Gadgets effectiveness - user land code
OWASP Root Cause Analysis
OWASP Example
OWASP Challenges
OWASP Call to arms
OWASP Summary


Taught by

OWASP Foundation

Related Courses

Fixing XSS with Content Security Policy
LASCON via YouTube
OWASP Top 10 for JavaScript Developers
OWASP Foundation via YouTube
Breaking Microsoft Edge Extensions Security Policies
media.ccc.de via YouTube
Dissecting CSRF Attacks & Countermeasures
Black Hat via YouTube
Browser Security and HTTP Headers - Attacks and Protections in Action
Devoxx via YouTube