Martina Kraus

Cross Site Scripting is yesterday's news, isn't it?

Think your framework protects you from XSS? A single call to `innerHTML` can bypass its defenses. Learn how a layered security approach can truly protect your application.

Cross Site Scripting is yesterday's news, isn't it?
#1about 2 minutes

Demonstrating a persistent cross-site scripting attack

A live demo shows how malicious JavaScript can be injected into an input field and stored in a database, executing on every page load.

#2about 3 minutes

Why built-in framework sanitizers are not enough

Framework sanitizers can be bypassed by using native DOM APIs directly, and the vast majority of application code comes from third-party NPM packages.

#3about 4 minutes

Introducing the Content Security Policy http header

The Content Security Policy (CSP) is an HTTP header that controls which resources can be loaded and executed by the browser using directives for scripts, styles, and API connections.

#4about 4 minutes

Implementing and refining a basic content security policy

A live demo shows how to add a CSP via a meta tag and then iteratively fix broken styles and API calls by adjusting the `style-src` and `connect-src` directives.

#5about 3 minutes

Safely executing inline scripts with hashes and nonces

CSP Level 2 provides hashes and nonces as secure alternatives to `unsafe-inline` for whitelisting specific inline scripts for execution.

#6about 7 minutes

Using CSP nonces with server-side rendering

Nonces must be unique and randomly generated on the server for each request to be secure, and the `strict-dynamic` directive allows trusted scripts to load other scripts.

#7about 3 minutes

Introducing trusted types to secure dangerous dom sinks

Trusted Types is a new CSP directive that locks down dangerous DOM APIs, requiring that any data passed to them must first be sanitized and wrapped in a special trusted object.

#8about 3 minutes

Implementing trusted types with the dompurify library

Instead of writing custom sanitization logic, you can use a library like DOMPurify with its `RETURN_TRUSTED_TYPE` option to easily create secure, trusted HTML objects.

#9about 1 minute

Browser support and final recommendations for trusted types

Trusted Types are currently supported by all Chromium-based browsers, making it a viable defense-in-depth strategy for a significant portion of web users.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

The primary security threat of cross-site scripting
04:32 MIN

The primary security threat of cross-site scripting

A Primer in Single Page Application Security (Angular, React, Vue.js)

A practical checklist for preventing XSS in SPAs
03:21 MIN

A practical checklist for preventing XSS in SPAs

A Primer in Single Page Application Security (Angular, React, Vue.js)

Understanding the real-world danger of cross-site scripting
03:40 MIN

Understanding the real-world danger of cross-site scripting

Securing Frontend Applications with Trusted Types

How modern frameworks fail to prevent all XSS attacks
04:02 MIN

How modern frameworks fail to prevent all XSS attacks

Securing Frontend Applications with Trusted Types

The future of XSS prevention with Trusted Types
02:15 MIN

The future of XSS prevention with Trusted Types

A Primer in Single Page Application Security (Angular, React, Vue.js)

Using Content Security Policy for defense in depth
03:06 MIN

Using Content Security Policy for defense in depth

A Primer in Single Page Application Security (Angular, React, Vue.js)

Live demo of exploiting a cross-site scripting vulnerability
14:43 MIN

Live demo of exploiting a cross-site scripting vulnerability

Maturity assessment for technicians or how I learned to love OWASP SAMM

Preventing XSS by sanitizing on the backend
03:10 MIN

Preventing XSS by sanitizing on the backend

101 Typical Security Pitfalls

Featured Partners

Related Videos

See all videos
Securing Frontend Applications with Trusted Types
45:19

Securing Frontend Applications with Trusted Types

Philippe De Ryck

A Primer in Single Page Application Security (Angular, React, Vue.js)
36:39

A Primer in Single Page Application Security (Angular, React, Vue.js)

Thomas Konrad

101 Typical Security Pitfalls
28:41

101 Typical Security Pitfalls

Alexander Pirker

Security in modern Web Applications - OWASP to the rescue!
26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

You click, you lose: a practical look at VSCode's security
29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Friend or Foe? TypeScript Security Fallacies
27:41

Friend or Foe? TypeScript Security Fallacies

Liran Tal

Vulnerable VS Code extensions are now at your front door
44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

Related Articles

View all articles
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security
Daniel Cranney
The State of HTML 2024: What can we learn from it?
The results of the State of HTML 2024 survey are in! Though the name suggests it’s HTML-only, the survey focuses on the web platform in a more general sense, giving us some fascinating insights into not only the state of the web, but also some sense ...
The State of HTML 2024: What can we learn from it?
Chris Heilmann
Dev Digest 136 - No JS(on) of mine
News and ArticlesDouglas Crockford is our featured video, so let's talk about evolving JavaScript and all things JSON. Judicious JSON explains all the weird things in it, you can learn why it can be incredibly slow, people wonder what even is a JSON ...
Dev Digest 136 - No JS(on) of mine

From learning to earning

Jobs that call for the skills explored in this talk.

Frontend Developer

Frontend Developer

JO Media Software Solutions GmBh
Brunn am Gebirge, Austria

Senior
CSS
Angular
JavaScript
TypeScript