This course aims to teach learners a novel web hacking technique that allows attackers to bypass most Cross-Site Scripting (XSS) mitigations by abusing script gadgets. The course covers the concept of script gadgets, attacker models, methodologies for bypassing various security measures like Web Application Firewalls (WAFs) and XSS filters, HTML sanitizers, and Content Security Policy (CSP). The intended audience for this course includes web developers, security professionals, and individuals interested in understanding advanced web security vulnerabilities and prevention mechanisms.
Don't Trust the DOM - Bypassing XSS Mitigations via Script Gadgets
Overview
Syllabus
Intro
OWASP Agenda
OWASP Cross-Site-Scripting (XSS) primer
OWASP Isn't XSS a solved problem?
OWASP How do mitigations work?
OWASP Modern Applications - Example
OWASP What are Script Gadgets?
OWASP Attacker model
OWASP Methodology
OWASP Bypassing WAFS & XSS filters
OWASP Bypassing HTML sanitizers
OWASP Bypassing Content Security Policy
OWASP Bypassing CSP strict dynamic
OWASP Gadgets in expression parsers
OWASP Empirical Study
OWASP Research Questions
OWASP Script Gadgets in user land code
OWASP Gadgets effectiveness - user land code
OWASP Root Cause Analysis
OWASP Example
OWASP Challenges
OWASP Call to arms
OWASP Summary
Taught by
OWASP Foundation
