What if XSS was a browser bug?

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration: Not yet available
Language: English
Abstract: Cross-Site Scripting (XSS) is still the most common security issue on the web - with no easy way to be prevented. The talk will provide the necessary background on XSS and where previous approaches failed. Then we will present the Sanitizer API, a new and upcoming browser API that solves this issue.

We’ll talk about mXSS and HTML parsing as background and then also explain why the XSS Auditor didn’t work (as a prime example of a browser-controlled XSS mitigation). Using examples from recent mXSS attacks against sanitizers, we are explaining the root cause of these issues and the solution: Parsing needs to be done within a context-element. Then we will explain how a built-in Sanitizer API can fill the existing gap and what it can and can not protect against, looking at more recent attacks like DOM Clobbering and script gadgets.

Talk ID: jev22-49210
Event:: jev22
Day: 5
Room: HIP1
Start: 2:30 p.m.
Duration: 01:00:00
Track: E.T.I.
Type of: Talk
Speaker: Frederik Braun
Talk Slug & media link: jev22-49210-what_if_xss_was_a_browser_bug

The video is not yet available

Missing form or progress bar? It may take up to ten minutes until the form appears, after you saved your progress on amara. Please give it a little patience and reload the page.