What if XSS was a browser bug?
12-30, 14:30–15:30 (Europe/Berlin), HIP - Track 1 - Room 5
Language: English

Cross-Site Scripting (XSS) is still the most common security issue on the web - with no easy way to be prevented. The talk will provide the necessary background on XSS and where previous approaches failed. Then we will present the Sanitizer API, a new and upcoming browser API that solves this issue.

We’ll talk about mXSS and HTML parsing as background and then also explain why the XSS Auditor didn’t work (as a prime example of a browser-controlled XSS mitigation). Using examples from recent mXSS attacks against sanitizers, we are explaining the root cause of these issues and the solution: Parsing needs to be done within a context-element. Then we will explain how a built-in Sanitizer API can fill the existing gap and what it can and can not protect against, looking at more recent attacks like DOM Clobbering and script gadgets.

Frederik Braun works as a Staff Security Engineer for Mozilla Firefox in Berlin. He’s also a member of the W3C Web Application Security Working Group where he co-authored the Subresource Integrity standard. When not at work, Frederik goes on long bike treks across Europe with his wife and two kids.