RUBcast-Portal

Ab­stract of the talk of Ste­fa­no Di Paola - Min­ded Se­cu­ri­ty

Cross Site Script­ing is one of the most dif­fi­cult is­su­es to fix since it in­vol­ves se­ver­al con­texts on dif­fe­rent plat­forms. And it is well known. With the ad­vent of com­plex web ap­p­li­ca­ti­on with heavy cli­ent side pro­gramming, DOM based Cross Site Script­ing is be­co­ming more and more in­te­res­ting in the ap­p­li­ca­ti­on se­cu­ri­ty field. The dif­fe­rence bet­ween va­nil­la Xss and the lat­ter is how hard is to find is­su­es among thousands of Ja­va­Script lines of code, and how con­texts and at­tacks move from clas­si­cal HTML for­mat and cli­ent side exe­cu­ti­on to pro­gramming logic and pa­ra­digms. This talk will try to fill the empti­ness of awa­ren­ess about DOM Xss by show­ing new at­tacks and a new ana­ly­sis tech­ni­que whose im­ple­men­ta­ti­on is a tool named "DO­Mi­na­tor". DO­Mi­na­tor is a Fi­re­fox based ap­p­li­ca­ti­on that can ease the pain of fin­ding DOM based Cross Site Script­ing is­su­es by using run­ti­me tain­ting ana­ly­sis at Ja­va­Script level.

Zur Wiedergabe der Präsentation auf das folgende Bild klicken: