Cross Site Scripting techniques and quirky JavaScript have received a lot of attention recently — more and more ways to get hands on this threat are being developed and practiced. Security aware people switch JavaScript off, developers can use sand-boxed IFrames and CSP to protect their applications and NoScript, XSS filter and HTML Purifer do a great job in keeping people from getting “XSS’d”. But what about attacks in the browser that don’t require any scripting at all — but still steal your precious data right before you know it? What about attacks, so sneaky and sophisticated or just simple, even your best Anti-XSS solution won’t prevent them, since they don’t use any scripting but fierce markup tricks from outer space? This talk will introduce and discuss those kinds of attacks, show how attackers steal plain-text passwords, read CSRF tokens and other sensitive data and create self-spying emails and worse. Deactivating JavaScript and eliminating is good level of protection? Not anymore!

Learn more about the speaker.