OWASP AppSec DC 2012/Unraveling some of the Mysteries around DOMbased XSS

The Presentation
DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but its poorly understood. This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review. This talk will include discussion of numerous open source resources that are available on this topic. OWASP has numerous articles on DOM-based XSS, including a definition article (https://www.owasp.org/index.php/DOM_Based_XSS), an OWASP testing guide article _site_scripting_(OWASP-DV-003)), and the DOM-based XSS prevention cheat sheet eat_Sheet), and there are also other open source articles from leading researchers like Stefano Di Paulo (http://code.google.com/p/domxsswiki/wiki/Introduction) as well. The speaker has already contributed to all of these OWASP articles and in preparation for this talk, plans to review and contribute additional enhancements to each of these articles in order to make the authors recommendations publically available to the web security community in a very broad manner far beyond just delivering this talk at AppSec DC. The talk will also showcase and provide worked examples of how to use open source proxy tools like OWASP ZAP (https://www.owasp.org/index.php/ZAP) and WebScarab (https://www.owasp.org/index.php/WebScarab), along with Firebug and Chromes developer tools to track down DOM-based XSS issues within an application. The only open source DOM-based XSS detection tool, DOMinator (http://code.google.com/p/dominator/), will also be showcased in this talk.

The Speakers
Dave Wichers