This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, May 11 • 11:35 - 12:20
Don’t trust the DOM: Bypassing XSS mitigations via Script gadgets

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Over the years many techniques have been introduced to prevent or mitigate XSS. Thereby, most of these techniques such as HTML sanitizers or CSP focus on script tags and event handlers. In this talk, we present a novel Web hacking technique that enables an attacker to bypass these mitigations. In order to to so, the attacker abuses so-called script gadgets. A gadget Is a legitimate piece of JS in a page that reads elements via selectors and processes them in a way that results in script execution. To abuse a gadget, the attacker injects benign elements that match the gadget’s selector. Subsequently, the gadget selects the elements and executes the attacker's scripts. As the attacker's markup is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element. Based on real-world examples, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications.

avatar for Sebastian Lekies

Sebastian Lekies

Sebastian Lekies is a Senior Software Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests include client-side Web application security and Web application security scanning. At Google, Sebastian is part of the Security Test Engineering team... Read More →

Thursday May 11, 2017 11:35 - 12:20
Waterfront Center: Hall 1A