OWASP AppSec DC 2012/Unraveling some of the Mysteries around DOMbased XSS

From OWASP
Revision as of 09:42, 22 March 2012 by Wichers (Talk | contribs)

Jump to: navigation, search

AppSecDC-468x60-banner-2012.jpg

Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org

The Presentation

DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it's poorly understood.

This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review.

This talk will include discussion of numerous open source resources that are available on this topic. OWASP has numerous articles on DOM-based XSS, including a definition article (https://www.owasp.org/index.php/DOM_Based_XSS), an OWASP testing guide article _site_scripting_(OWASP-DV-003)), and the DOM-based XSS prevention cheat sheet eat_Sheet), and there are also other open source articles from leading researchers like Stefano Di Paulo (http://code.google.com/p/domxsswiki/wiki/Introduction) as well. The speaker has already contributed to all of these OWASP articles and in preparation for this talk, plans to review and contribute additional enhancements to each of these articles in order to make the author's recommendations publically available to the web security community in a very broad manner far beyond just delivering this talk at AppSec DC. The talk will also showcase and provide worked examples of how to use open source proxy tools like OWASP ZAP (https://www.owasp.org/index.php/ZAP) and WebScarab (https://www.owasp.org/index.php/WebScarab), along with Firebug and Chrome's developer tools to track down DOM-based XSS issues within an application. The only open source DOM-based XSS detection tool, DOMinator (http://code.google.com/p/dominator/), will also be showcased in this talk.

The Speaker

Dave Wichers

Owasp logo normal.jpg
Bio: Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a company that specializes in application security services. He is also a long time contributor to OWASP including being a member of the OWASP Board since it was formed in 2003.

Dave has over 20 years of experience in the information security field, and has focused exclusively on application security since 1998. At Aspect, in addition to his COO duties, he is Aspect's application security courseware lead, one of their chief instructors, and provides a wide variety of application security consulting services to Aspect's clients. This includes frequent application security verification efforts involving both code review and application penetration testing for both commercial and Government clients.

Prior to starting Aspect, he ran the Application Security Services Group at Exodus Communications. Dave has a Bachelors and Masters degree in Computer Science, is a CISSP, and a CISM.

For more details, see my full bio at: User:Wichers


Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors

SPL-LOGO-MED.png

Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png

Exhibitors

link=http://www.codenomicon.com/ Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg