Call To Arms: A Tale of the Weaknesses of Current Client-Side XSS Filtering

Ben Stock

Wed, 29th October 2014

Speaker Bio 1:
Ben Stock
Ben is currently a PhD student and research fellow at the Security Research Group of the University Erlangen-Nuremberg. Ben is particularly experienced and knowledgeable with web security and malware analysis and he enjoys the challenges provided in capture-the-flag contests.

Learning Objectives:


Ben will explain:

  • In recent years, a new variant of XSS emerged, in which vulnerabilities are caused by flaws in client-side JavaScript code (called DOM-based Cross-Site Scripting or DOMXSS). In a recent study, we found that on the Alexa Top 10.000 domains, almost every 10th domain carries such a vulnerability.
  • For this talk, we conducted in-depth security analysis of the leading XSS filter, namely the XSSAuditor, and show that it is inadequate to protect end users against DOMXSS, highlighting the different issues we identified.