Session Details

Session Details2019-01-07T06:21:08+00:00

Why are we talking about XSS in 2019?

Presented by: Jim Manico
Time: Friday, Jan. 11, 2:45 PM - 3:45 PM

Why are we talking about XSS in 2019? We're unfortunately still talking about client side script injection or Cross Site Scripting (XSS) in 2019 because it's painfully difficult to defend against XSS even to this day. This talk is a fundamental technology update on how developers build and secure web user interface code. We'll address new defensive strategies such as modern JavaScript framework defense in Angular, React and other frameworks. We'll also look at how CSP deployment has changed in the past 7 years illustrating the progressive use of content security which supports CSP v1, v2 and v3 concurrently. We will then look at advances in HTML sanitization on both the client and server side as well as focus on sanitizers and defensive libraries that have stood the test of time in terms of maintenance and security. We'll also look at interesting design topics such as how HTML injection is still critical even in the face of rigorous XSS defense and how HTTPOnly cookies are largely ineffective. This talk should help developers and security professionals alike build a focused and modern strategy to defend against XSS in modern applications.

Room: Aloeswood / Leopard WoodTags: Javascript, SecurityLevel: Intermediate