Finding and Fixing DOM-based XSS – with Static Analysis

Cross-Site Scripting (XSS) consistently ranks highest in the list of the most prevalent security problems within web applications. In particular, DOM-based XSS exposes one of the most severe issues facing Single Page Applications and Electron Apps.

This talk will examine the root causes of DOM-based XSS and provide fundamental insights into using static analysis to detect problematic code at scale. Furthermore, practical tips will show how to ease adoption of these techniques when dealing with potential false positives or large codebases. In conclusion, there will be an outlook on upcoming web standards which aim to support web developers to tackle DOM-based XSS once and for all

Vorkenntnisse

  • A basic understanding of JavaScript and HTML is enough.
  • The talk will explain XSS, just as it explains static source code analysis.
  • Motivation and outlook aim more at practical applicability, but the talk is useful even without direct use of eslint.

Lernziele

  • Reasons for DOM-based cross-site scripting (XSS) in source code.
  • How JavaScript linters work.
  • Advantages and disadvantages of static source code analysis.
  • How to detect and gradually eliminate security vulnerabilities in legacy/existing code.
  • How to develop your own linter plug-ins.

Speaker

 

Frederik Braun
Frederik Braun arbeitet als Security Engineer für Mozilla Firefox in Berlin. Als Mitglied der W3C Web Application Security Working Group hat er außerdem den Standard "Subresource Integrity" mitentwickelt. Wenn Frederik nicht gerade arbeitet, liest er entweder einen guten Roman oder fährt mit seiner vierköpfigen Familie auf langen Radreisen quer durch Europa. Oder beides.

enterJS-Newsletter

Du möchtest über die enterJS
auf dem Laufenden gehalten werden?

 

Anmelden