Cross Site Scripting techniques and quirky JavaScript have received a lot of attention recently — more and more ways to get hands on this threat are being developed and practiced. Security aware people switch JavaScript off, developers can use sand-boxed IFrames and CSP to protect their applications and NoScript, XSS filter and HTML Purifer do a great job in keeping people from getting “XSS’d”. But what about attacks in the browser that don’t require any scripting at all — but still steal your precious data right before you know it? What about attacks, so sneaky and sophisticated or just simple, even your best Anti-XSS solution won’t prevent them, since they don’t use any scripting but fierce markup tricks from outer space? This talk will introduce and discuss those kinds of attacks, show how attackers steal plain-text passwords, read CSRF tokens and other sensitive data and create self-spying emails and worse. Deactivating JavaScript and eliminating is good level of protection? Not anymore!
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany, focuses on HTML5, SVG security and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Mario invoked the HTML5 security cheat-sheet and maintains the PHPIDS filter rules. In his spare time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences, co-authored two books, several academic papers and doesn’t see a problem in his some weeks old son having a netbook already. There you have it.
Twitter: <a href="https://twitter.com/#!/0x6d6172696f" target="_blank">@0x6d6172696f</a> Website (Warning: Your eyes could take some damage here.): <a href="http://mario.heideri.ch/" target="_blank">mario.heideri.ch</a>