A live demo shows how malicious JavaScript can be injected into an input field and stored in a database, executing on every page load.
Framework sanitizers can be bypassed by using native DOM APIs directly, and the vast majority of application code comes from third-party NPM packages.
The Content Security Policy (CSP) is an HTTP header that controls which resources can be loaded and executed by the browser using directives for scripts, styles, and API connections.
A live demo shows how to add a CSP via a meta tag and then iteratively fix broken styles and API calls by adjusting the `style-src` and `connect-src` directives.
CSP Level 2 provides hashes and nonces as secure alternatives to `unsafe-inline` for whitelisting specific inline scripts for execution.
Nonces must be unique and randomly generated on the server for each request to be secure, and the `strict-dynamic` directive allows trusted scripts to load other scripts.
Trusted Types is a new CSP directive that locks down dangerous DOM APIs, requiring that any data passed to them must first be sanitized and wrapped in a special trusted object.
Instead of writing custom sanitization logic, you can use a library like DOMPurify with its `RETURN_TRUSTED_TYPE` option to easily create secure, trusted HTML objects.
Trusted Types are currently supported by all Chromium-based browsers, making it a viable defense-in-depth strategy for a significant portion of web users.
Sensory-Minds GmbH
Offenbach am Main, Germany
Hubert Burda Media
München, Germany
45:19Philippe De Ryck
36:39Thomas Konrad
26:59Jakub Andrzejewski
28:41Alexander Pirker
29:47Thomas Chauchefoin & Paul Gerste
27:10Sonya Moisset
27:41Liran Tal
44:11Raul Onitza-Klugman & Kirill Efimov
Jobs that call for the skills explored in this talk.
ThreatFabric B.V.
Amsterdam, Netherlands