SecAppDev 2019 has ended
Back To Schedule
Thursday, February 21 • 11:00 - 12:30
The ins and outs of client-side XSS

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The talk session will provide a comprehensive overview on client-side Cross-site Scripting (aka DOM-based XSS), both from a offensive as well as form a defensive point of view.

The term "Client-side Cross-site Scripting" describes a sub-class of XSS vulnerabilities, also known as DOM-based XSS. These vulnerabilities are caused by insecure JavaScript within the browser. These client-side vulnerabilities are as potent as their server-side counterparts. However, they have always remained in the shadow, mainly due to a perceived significantly smaller attack surface. But is that a correct assessment? What happens with the recent push towards client-side applications?

In this session, we provide a comprehensive overview of client-side XSS. We illustrate that approximately 10% of all websites suffer from this problem. We investigate why the problem is so hard to contain. We will take a deep-dive into one of the major issues on the web today: vulnerabilities in third-party code. In the end, you will have a solid understanding of the danger of client-side XSS. You will know how to identify these problems, and how to prevent them.

This session is intended for anyone building web and JavaScript applications.


Martin Johns

Full professor, TU Braunschweig

Thursday February 21, 2019 11:00 - 12:30 CET
West wing (room Lemaître)