JS Security - A Pentester's Perspective

Explore JavaScript security from a penetration tester's perspective in this JSConf.Asia 2015 talk. Gain insights into how pentesters analyze and exploit web applications, focusing on JavaScript, JSON, and HTML5 security issues. Learn to identify vulnerabilities in code and write secure JavaScript to reduce bugs discovered during testing. Dive into DOM XSS exercises and examine CORS abuse in cross-domain communications. Benefit from the speaker's 12+ years of experience in web application penetration testing across various industries. Discover practical examples, including DOM manipulation, sources and sinks, exploit demonstrations, and solutions. Investigate templating engines, tab nabbing, and automation techniques using Chrome extensions. Gain valuable knowledge to enhance your web application security skills and create safer solutions.

Introduction
Agenda
What is DOM excesses
Why I like DOM excesses
A simple DOM manipulation
Source and Sink
Sources and Sink
Adamek Sucess
Low Priority Issues
Exploit Demo
Solution
Exploit
Templating Engines
Tab Nabbing
Window Dot Name
How do you automate
Chrome extension
How it works
DomCobra
Insecure Blog