Finding and Fixing DOM-based XSS - with Static Analysis
Cross-Site Scripting (XSS) consistently ranks highest in the list of the most prevalent security problems within web applications. In particular, DOM-based XSS exposes one of the most severe issues facing Single Page Applications and Electron Apps. In this talk we will examine the root causes of DOM-based XSS and provide fundamental insights into using static analysis to detect problematic code at scale. Furthermore, we will share practical tips that will ease adoption of these techniques when dealing with potential false positives or large codebases. We will conclude with an outlook on upcoming web standards which aim to support web developers to tackle DOM-based XSS once and for all.
Frederik Braun defends Mozilla Firefox as a Staff Security Engineer in Berlin. He's also a member of the W3C Web Application Security Working Group and co-authored the Subresource Integrity standard. When not at work, Frederik goes on long bike treks across Europe with his wife and two kids.