This course aims to teach learners how to mitigate cross-site scripting (XSS) attacks using Content Security Policy (CSP). The learning outcomes include understanding the differences between CSP 1.0 and CSP 2.0, learning how CSP protects web applications from XSS, and knowing how to implement CSP on a website. The course covers topics such as DOM-based XSS, script sources, wildcards, default CSP, connecting sources, monitoring, report-only policy, inline JavaScript, CSP nonce, and hash sources. The teaching method involves a 30-minute talk by a Senior Security Consultant, making it suitable for web application developers interested in enhancing their security measures.
Overview
Syllabus
Intro
About Ksenia
Dombased XSS
Script source
Wildcards
Default
CSS
Connect Source
Monitoring
Report Only Policy
Inline JavaScript
CSP
Nonce
Hash Source
Taught by
LASCON
Related Courses
-
No More XSS - Deploying CSP with Nonces and Strict-Dynamic
-
Don't Trust the DOM - Bypassing XSS Mitigations via Script Gadgets
-
OWASP Top 10 for JavaScript Developers
-
Evaluating the Effectiveness of Content Security Policy in the Wild
-
Client-Side Protection Against DOM-Based XSS Done Right
-
XSS, CSRF, CSP, JWT, WTF? IDK - JSConf Iceland
