Sponsored by:

XSS

A 4-post collection

XSS’ing the security speaker panel via sli.do

One of the things I really enjoy about doing live events is the entirely random, unexpected things that can occur without any warning. In fact, I’m increasingly structuring my talks to present these opportunities, but this one was entirely unexpected: When someone whacks XSS in the live question feed whilst you're answering security questions on a panel... pic.twitter.com/paLp7ECXHF— Troy Hunt (@troyhunt) January 22, 2016 This was whilst answering questions on a panel – a security panel – at ProgramUtvikling’s security day in Oslo last week (they’re the guys who run the NDC conferences around the world). I was sitting up there on the stage with Erlend Oftedal and...

How I got XSS’d by my ad network

This is really not what you ever want to see on your own site: It’s a JavaScript prompt and no, it’s not meant to be there. Someone had successfully mounted an XSS attack against this very website! Now I’ve written a lot about XSS, I’ve authored multiple Pluralsight courses that talk about it in detail and I’ve run many workshops on the topic teaching others the very mechanics of how cross site scripting works. Yet here we are – XSS on my own blog. Fortunately, this was discovered by friend and fellow security MVP Alun Jones who you can hear in the video above. If anyone’s going to...

Understanding XSS – input sanitisation semantics and output encoding contexts

Cross site scripting (henceforth referred to as XSS) is one of those attacks that’s both extremely prevalent (remember, it’s number 2 on the OWASP Top 10) and frequently misunderstood. You’ll very often see some attempt at mitigating the risk but then find it’s easily circumvented because the developers weren’t fully aware of the attack vectors. Last week someone flicked me over a great example of this after having read my previous post Here’s why we keep getting hacked – clear and present Billabong failures. In that post I pointed out the ease with which you could decorate Billabong’s registration page with the beautiful Miranda Kerr and...

OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS)

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" In the first post of this series I talked about injection and of most relevance for .NET developers, SQL injection. This exploit has some pretty severe consequences but fortunately many of the common practices employed when building .NET apps today – namely accessing data via stored procedures and ORMs – mean most apps have a head start on fending off attackers.Cross-site scripting is where things begin to get really interesting, starting with the fact that it’s by far and away the most commonly exploited vulnerability out there today. Last year, WhiteHat Security delivered their Website Security...