Revisiting XSS Sanitization
By Ashar Javed
"The online WYSIWYG ""What You See Is What You Get"" editors or rich-text editors are nowadays an essential component of the web applications. They allow users of web applications to edit and enter HTML rich text (i.e., formatted text, images, links and videos etc) inside the web browser window.
This talk will first demonstrate how to break the top 25 online WYSIWYG editors powering thousands of web applications. We show XSS bypasses for top WYSIWYG editors like TinyMCE, Jive, Froala, CKEditor etc. We will share stories of how we were able to XSSed WYSIWYG editors of sites like Twitter, Yahoo Email, Amazon, GitHub, Magento, and CNET etc.
After breaking almost all WYSIWYG editors in the wild, this talk will present a sanitizer (very easy to use, effective and practical solution) which is based only on '11 chars + 3 regular expressions' and will show how it will safe you from an XSS in HTML, attribute, script (includes JSON context), style and URL contexts."
Видео Revisiting XSS Sanitization канала Black Hat
"The online WYSIWYG ""What You See Is What You Get"" editors or rich-text editors are nowadays an essential component of the web applications. They allow users of web applications to edit and enter HTML rich text (i.e., formatted text, images, links and videos etc) inside the web browser window.
This talk will first demonstrate how to break the top 25 online WYSIWYG editors powering thousands of web applications. We show XSS bypasses for top WYSIWYG editors like TinyMCE, Jive, Froala, CKEditor etc. We will share stories of how we were able to XSSed WYSIWYG editors of sites like Twitter, Yahoo Email, Amazon, GitHub, Magento, and CNET etc.
After breaking almost all WYSIWYG editors in the wild, this talk will present a sanitizer (very easy to use, effective and practical solution) which is based only on '11 chars + 3 regular expressions' and will show how it will safe you from an XSS in HTML, attribute, script (includes JSON context), style and URL contexts."
Видео Revisiting XSS Sanitization канала Black Hat
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
![OWASP AppSec EU 2013: How mXSS attacks change everything we believed to know so far](https://i.ytimg.com/vi/Haum9UpIQzU/default.jpg)
![Protecting from XSS with Sanitize](https://i.ytimg.com/vi/L5nIqRBx_Ng/default.jpg)
![Client-Side Protection Against DOM-Based XSS Done Right (tm)](https://i.ytimg.com/vi/u7wrKchcOGU/default.jpg)
![HTTP Desync Attacks: Request Smuggling Reborn](https://i.ytimg.com/vi/_A04msdplXs/default.jpg)
![Ichthyology: Phishing as a Science](https://i.ytimg.com/vi/Z20XNp-luNA/default.jpg)
![Reflected File Download - A New Web Attack Vector](https://i.ytimg.com/vi/dl1BJUNk8V4/default.jpg)
![11 Chrome Settings You Should Change Now!](https://i.ytimg.com/vi/-1nAyfHc0nU/default.jpg)
![](https://i.ytimg.com/vi/4u_6RK487W8/default.jpg)
![Infecting the Enterprise: Abusing Office365+Powershell for Covert C2](https://i.ytimg.com/vi/CvEXzHkhcjo/default.jpg)
![Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science](https://i.ytimg.com/vi/x97ejtv56xw/default.jpg)
![Bugcrowd University - Cross Site Scripting (XSS)](https://i.ytimg.com/vi/gkMl1suyj3M/default.jpg)
![Part 45 - Security Concerns with WYSIWYG Editors [How to Build a Blog with Laravel 5 Series]](https://i.ytimg.com/vi/_md2zRrPAhA/default.jpg)
![New Credit Management Part 2: Sales Order Blocking and Exclusion Rules](https://i.ytimg.com/vi/t4M9iP4aHT8/default.jpg)
![Exploiting Network Printers](https://i.ytimg.com/vi/DwKzSO4yA_s/default.jpg)
![Garage4Hackers Ranchoddas Webcast on XSS Protection Bypass By Ashar Javed](https://i.ytimg.com/vi/TKn5qdti66c/default.jpg)
![AppSec EU 2017 Don't Trust The DOM: Bypassing XSS Mitigations Via Script Gadgets by Sebastian Lekies](https://i.ytimg.com/vi/p07acPBi-qw/default.jpg)
![Cracking the Lens: Targeting HTTP's Hidden Attack-Surface](https://i.ytimg.com/vi/zP4b3pw94s0/default.jpg)
![Your Scripts In My Page - What Could Possibly Go Wrong?](https://i.ytimg.com/vi/Mnkgg3q51Ps/default.jpg)
![Hacking Websites With Cross-Site Scripting (XSS Attack Basics)](https://i.ytimg.com/vi/9kaihe5m3Lk/default.jpg)
![Exploit Kit Cornucopia](https://i.ytimg.com/vi/s6_faEjf4AQ/default.jpg)