• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Insane in the IFRAME -- The case for client-side HTML sanitization
 

Insane in the IFRAME -- The case for client-side HTML sanitization

on

  • 2,644 views

Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This ...

Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This talk will make the case that as server-side HTML sanitizers lack the ability to effectively simulate every potential user agent, the client itself is the only party empowered to perform accurate sanitization. We will examine the DOM API primitives required to perform such client-side sanitization and review results and learning from a prototype implementation.

Statistics

Views

Total Views
2,644
Views on SlideShare
2,490
Embed Views
154

Actions

Likes
2
Downloads
25
Comments
0

5 Embeds 154

https://twitter.com 130
http://eventifier.co 13
http://ec2-54-243-189-159.compute-1.amazonaws.com 9
http://www.linkedin.com 1
http://eventifier.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Insane in the IFRAME -- The case for client-side HTML sanitization Insane in the IFRAME -- The case for client-side HTML sanitization Presentation Transcript

    • David Ross Principal Software Security Engineer Trustworthy Computing Security Microsoft
    • @randomdross
    • *
    • @NealPoole https://t.co/5omk5ec2UD
    • @kkotowicz @NealPoole @adam_baldwin
    • @sneak_ @superevr
    • difficult
    • • No independent parsing / context handling
    • everything else
    • document.implementation.createHTMLDocument
    • document.createTreeWalker
    • 3. Remove elements / attributes / etc. not explicitly allowed* *Old (less-performant) approach: Build yet another DOM by copying safe elements / attributes / etc. to a new DOM during tree walk
    • document.implementation.createHTMLDocument Must never run script
    • setAttribute
    • promises / deferreds
    • [Demo] [Benchmark] Options precedence / inheritance rules: (Options specified on target element) > (options specified on sanitize() call) > (default options)
    • Mario Heiderich @0x6D6172696F JSAgents / IceShield Gareth Heyes @garethheyes JSLR Ben Livshits Loris D’Antoni FAST Caja HTML sanitizer Stefano Di Paola Eduardo ‘Sirdarckcat’Vela N.
    • I just presented on HTML sanitization at OWASP AppSec EU 2013. AMA! (self.AMA) 1 Submitted 1 second ago by randomdross 0 comments share