The innerHTML Apocalypse - How mXSS attacks change everything we believed to know so far
This talk introduces and discusses a novel, mostly unpublished technique to attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its often unknown capabilities - every single one of them.
We analysed the type and number of websites that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to be understood and researched even further.
The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
Mario (@0x6D6172696F) Heiderich, heart-breaker, bon vivant and co-organizer of this track will cover them mXSS attacks - HTML injections that break each and every HTML filter and show how hard it is to really effectively protect against XSS exploits if browsers are buggy.
Remove this from your schedule?
This session is full and you may not be able to get back in.