Videos Revisiting XSS Sanitization

Published on April 3rd, 2015 📆 | 8561 Views ⚑

0

Revisiting XSS Sanitization



By Ashar Javed

“The online WYSIWYG “”What You See Is What You Get”” editors or rich-text editors are nowadays an essential component of the web applications. They allow users of web applications to edit and enter HTML rich text (i.e., formatted text, images, links and videos etc) inside the web browser window.

This talk will first demonstrate how to break the top 25 online WYSIWYG editors powering thousands of web applications. We show XSS bypasses for top WYSIWYG editors like TinyMCE, Jive, Froala, CKEditor etc. We will share stories of how we were able to XSSed WYSIWYG editors of sites like Twitter, Yahoo Email, Amazon, GitHub, Magento, and CNET etc.

After breaking almost all WYSIWYG editors in the wild, this talk will present a sanitizer (very easy to use, effective and practical solution) which is based only on ’11 chars + 3 regular expressions’ and will show how it will safe you from an XSS in HTML, attribute, script (includes JSON context), style and URL contexts.”


2015-04-03 17:46:31

source

Download Premium WordPress Themes Free
Download Best WordPress Themes Free Download
Download WordPress Themes
Premium WordPress Themes Download
udemy course download free

Tagged with:



Leave a Reply ✍


loading...