David Ross
Principal Software Security Engineer
Trustworthy Computing Security
Microsoft
@randomdross
*
@NealPoole
https://t.co/5omk5ec2UD
@kkotowicz
@NealPoole @adam_baldwin
@sneak_
@superevr
difficult
• No independent parsing / context handling
everything else
document.implementation.createHTMLDocument
document.createTreeWalker
3. Remove elements / attributes / etc. not explicitly allowed*
*Old (less-performant) approach:
Build yet another DOM by c...
document.implementation.createHTMLDocument
Must never run script
setAttribute
promises / deferreds
[Demo] [Benchmark]
Options precedence / inheritance rules:
(Options specified on target
element) > (options specified on
s...
Mario Heiderich @0x6D6172696F
JSAgents / IceShield
Gareth Heyes @garethheyes
JSLR
Ben Livshits
Loris D’Antoni
FAST
Caja HT...
I just presented on HTML sanitization at OWASP AppSec EU 2013. AMA! (self.AMA)
1 Submitted 1 second ago by randomdross
0 c...
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Insane in the IFRAME -- The case for client-side HTML sanitization
Upcoming SlideShare
Loading in …5
×

Insane in the IFRAME -- The case for client-side HTML sanitization

3,109
-1

Published on

Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This talk will make the case that as server-side HTML sanitizers lack the ability to effectively simulate every potential user agent, the client itself is the only party empowered to perform accurate sanitization. We will examine the DOM API primitives required to perform such client-side sanitization and review results and learning from a prototype implementation.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,109
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
29
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Insane in the IFRAME -- The case for client-side HTML sanitization

  1. 1. David Ross Principal Software Security Engineer Trustworthy Computing Security Microsoft
  2. 2. @randomdross
  3. 3. *
  4. 4. @NealPoole https://t.co/5omk5ec2UD
  5. 5. @kkotowicz @NealPoole @adam_baldwin
  6. 6. @sneak_ @superevr
  7. 7. difficult
  8. 8. • No independent parsing / context handling
  9. 9. everything else
  10. 10. document.implementation.createHTMLDocument
  11. 11. document.createTreeWalker
  12. 12. 3. Remove elements / attributes / etc. not explicitly allowed* *Old (less-performant) approach: Build yet another DOM by copying safe elements / attributes / etc. to a new DOM during tree walk
  13. 13. document.implementation.createHTMLDocument Must never run script
  14. 14. setAttribute
  15. 15. promises / deferreds
  16. 16. [Demo] [Benchmark] Options precedence / inheritance rules: (Options specified on target element) > (options specified on sanitize() call) > (default options)
  17. 17. Mario Heiderich @0x6D6172696F JSAgents / IceShield Gareth Heyes @garethheyes JSLR Ben Livshits Loris D’Antoni FAST Caja HTML sanitizer Stefano Di Paola Eduardo ‘Sirdarckcat’Vela N.
  18. 18. I just presented on HTML sanitization at OWASP AppSec EU 2013. AMA! (self.AMA) 1 Submitted 1 second ago by randomdross 0 comments share
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×