Dates
Conferences
Tags
Sort by:
Most recent
Conference: Global AppSec San Francisco 2022
Authors: Simon Bennetts, semgrep.dev
2022-11-18
Is OWASP Still Relevant?Do people want to go to conferences and chapter meetings in the aftermath of COVID?Do we need 260+ projects?Does anyone get past the titles of the Top 10?In this talk Simon will explain why he thinks OWASP is still very relevant and a much needed force for good.But this will be interactive and you will get a chance to have your say!
Conference: Global AppSec San Francisco 2022
Authors: David Klein
2022-11-17
Hand sanitizers have been an important tool to prevent the Covid pandemic from spreading even further. However, not everything related to hand sanitization is as positive. Hand written sanitizing functions, frequently found on the web, are a grave security risk. Input sanitization is the main technique to defend against injection attacks such as Cross-Site Scripting (XSS). With more and more functionality being offered in the form of web applications, the importance of correct sanitizing functions increases.While evidence of broken sanitizers exist, no comprehensive study about real world JavaScript sanitizing functions existed. To close this gap we leveraged a taint-tracking enabled Web browser to detect JavaScript code performing input sanitization. We built an analysis framework to evaluate the collected functions for both generality and security. We found 10% of the analyzed sanitizers to be blatantly insecure with our framework being able to automatically generate a modified payload passing through the sanitizer. However, most of the remaining sanitizers were only secure for the exact piece of code surrounding them, running danger that a simple modification, such as changing from single to double quotes, opens the door to injection vulnerabilities.By attending this session you will learn about the intricacies of input sanitization on the web, how to protect your website and what to avoid when doing so. You will also get a glimpse towards upcoming mitigations against Client-Side XSS, which might aid to finally ridden the web of this vulnerability class.