OWASP AppSecUSA 2011: Ghosts of XSS past, present and future

Speaker: Jim Manico

This talk will discuss the past methods used for XSS defence that were only partially effective. Learning from these lessons, will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer.

We will then finish with a discussion of future XSS defense mythologies that shift the burden of XSS defense from the developer to various frameworks.

These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and Javascript sandboxes such as the Google CAJA project and JSReg.

Main category

Disclosure & vulnerability



Main category

Information security & security management


Information security

Be surprised

I know what I'm looking for

Related videos