Conference:  Global AppSec San Francisco 2022

Authors: Omar Minawi

2022-11-18

Can’t seem to shake off those XSS bug bounty reports? Interested in exploring a novel XSS attack chain? This session is for you.Tune in to explore a real-life example of a multi-step XSS attack chain that targeted and exploited multiple trust domains. You will get an insight into defense-in-depth and an exciting walkthrough of exploit research and investigation. Lastly, we will tie it all together by evaluating and diving into multiple web security defense-in-depth tactics that could thwart this novel chained attack.

Conference:  Global AppSec San Francisco 2022

Authors: David Klein

2022-11-17

Hand sanitizers have been an important tool to prevent the Covid pandemic from spreading even further. However, not everything related to hand sanitization is as positive. Hand written sanitizing functions, frequently found on the web, are a grave security risk. Input sanitization is the main technique to defend against injection attacks such as Cross-Site Scripting (XSS). With more and more functionality being offered in the form of web applications, the importance of correct sanitizing functions increases.While evidence of broken sanitizers exist, no comprehensive study about real world JavaScript sanitizing functions existed. To close this gap we leveraged a taint-tracking enabled Web browser to detect JavaScript code performing input sanitization. We built an analysis framework to evaluate the collected functions for both generality and security. We found 10% of the analyzed sanitizers to be blatantly insecure with our framework being able to automatically generate a modified payload passing through the sanitizer. However, most of the remaining sanitizers were only secure for the exact piece of code surrounding them, running danger that a simple modification, such as changing from single to double quotes, opens the door to injection vulnerabilities.By attending this session you will learn about the intricacies of input sanitization on the web, how to protect your website and what to avoid when doing so. You will also get a glimpse towards upcoming mitigations against Client-Side XSS, which might aid to finally ridden the web of this vulnerability class.