To view a recording of this session Get Adobe Flash player

Jim ManicoJim Manico

Jim Manico is the VP of Security Architecture at WhiteHat Security. Jim has been a web application developer since 1997. He has also been an active member of OWASP since 2008 supporting projects that help developers write secure code.


 description

Ghosts of XSS past, present and future

Learning objectives

Ability to manage the risk of Cross Site Scripting (XSS) via:

  • Manual Code Review 
  • Manual Penetration Testing 
  • Computer Programming/Secure Coding techniques

    • The attendee will also learn how to effectively use a variety of different input validation and contextual encoding programming techniques, at multiple layers within in application, to help reduce or eliminate the risk of XSS.

    Overview

    This talk will discuss the past methods used for cross-site scripting (XSS) defense that were only partially effective. Learning from these lessons, we will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project, JSReg as well as upcoming HTML5 defenses.

    Partners:

    Solvay Brussels School of Economics and Management Katholieke Universiteit Leuven

    Affiliated organizations:

    OWASP NESSoS STREWS
    Creative Commons

    Contents of the secappdev.org website are licensed under a Creative Commons Attribution-NonCommercial 3.0 License.