Finding and Fixing DOM-based XSS – with Static Analysis

Cross-Site Scripting (XSS) consistently ranks highest in the list of the most prevalent security problems within web applications. In particular, DOM-based XSS exposes one of the most severe issues facing Single Page Applications and Electron Apps.

This talk will examine the root causes of DOM-based XSS and provide fundamental insights into using static analysis to detect problematic code at scale. Furthermore, practical tips will show how to ease adoption of these techniques when dealing with potential false positives or large codebases. In conclusion, there will be an outlook on upcoming web standards which aim to support web developers to tackle DOM-based XSS once and for all

Vorkenntnisse

• A basic understanding of JavaScript and HTML is enough.
• The talk will explain XSS, just as it explains static source code analysis.
• Motivation and outlook aim more at practical applicability, but the talk is useful even without direct use of eslint.

Lernziele

• Reasons for DOM-based cross-site scripting (XSS) in source code.
• How JavaScript linters work.
• Advantages and disadvantages of static source code analysis.
• How to detect and gradually eliminate security vulnerabilities in legacy/existing code.
• How to develop your own linter plug-ins.