Loading…
This event has ended. View the official site or create your own event + mobile app → Check it out
This event has ended. Create your own
Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
View analytic
Thursday, August 22 • 3:55pm - 4:40pm
Content Security Policy - the panacea for XSS or placebo?

Sign up or log in to save this event to your list and see who's attending!


Content Security Policy (CSP) is the mechanism to mitigate one of the most
popular web application issues called Cross-Site Scripting (XSS).
CSP is a declarative policy that allows application to inform the browser
about specific areas where application expects all resources to be loaded,
such as scripts and images.

In this presentation, we will talk about:

1. XSS. Very briefly because in 2013 pretty much everyone knows about this attack.
2. CSP. What risks this mechanism covers and what does not:

- CSP inside
- Browser support status and issues
- Policy definition mistakes and CSP common security considerations
- XSS without JS

3. Experience. How we implemented CSP on a service with an audience
more than 11 million users per week:

- Changes in servce
- Bugs in browser implementations
- Problems with 3rd party libraries
- Way from Report-Only to Block mode
Speakers
avatar for Taras Ivashchenko

Taras Ivashchenko

Yandex
Taras Ivashchenko - Information Security Officer at Yandex | | For a long time he focused on penetration tests (especially by PCI DSS standard),  | but his main focus has always been on web application security  | and web technologies in common. He is well known for his research (http://www.oxdef.info) in field  | of web browser extension security risks and as contributor of w3af (http://w3af.org) project.  | Taras was a speaker at several security conferences and events...
Read More →

Thursday August 22, 2013 3:55pm - 4:40pm
Großer Saal
Remove this from your schedule?
This session is full and you may not be able to get back in.
Remove
Cancel