The talk session will provide a comprehensive overview on client-side Cross-site Scripting (aka DOM-based XSS), both from a offensive as well as form a defensive point of view.
Abstract The term "Client-side Cross-site Scripting" describes a sub-class of XSS vulnerabilities, also known as DOM-based XSS. These vulnerabilities are caused by insecure JavaScript within the browser. These client-side vulnerabilities are as potent as their server-side counterparts. However, they have always remained in the shadow, mainly due to a perceived significantly smaller attack surface. But is that a correct assessment? What happens with the recent push towards client-side applications?
In this session, we provide a comprehensive overview of client-side XSS. We illustrate that approximately 10% of all websites suffer from this problem. We investigate why the problem is so hard to contain. We will take a deep-dive into one of the major issues on the web today: vulnerabilities in third-party code. In the end, you will have a solid understanding of the danger of client-side XSS. You will know how to identify these problems, and how to prevent them.
This session is intended for anyone building web and JavaScript applications.
