</XSS>: The 3 Letter Monster<br />Nishant Das Patnaik<br />Venue: PayPal<br />4th December 2010<br />
~# whoami<br />Security Analyst, eBay IPC<br />Author, Software Hacking (with AnkitFadia)<br />Guest Columnist, The Times of India; The Telegraph<br />Researcher, ClubHack; NullCon<br />Core Developer, SHANK (Portable Multi-Boot Security OS)<br />President, N.E.H.A.<br />Cyber Espionage Specialist<br />Contributing Member, CorelanTeam; IHP<br />Trained 3000+ Students, Professionals on Security Audit<br />… a fun-loving guy who lives down the lane!<br />
./agenda<br />./scenario: The scene so far<br />./details: What is XSS?<br />./impact: What can XSS do?<br />./victims: Who are suffering?<br />./targets: Who are being exploited?<br />./entrypoints: Where does XSS live?<br />./detection: How to find XSS?<br />./protection: How to protect from XSS?<br />./resources: Where to learn more?<br /> Q & A<br />
./details<br />What is XSS? <br />XSS is NOT a vulnerability! It's an attack, an injection attack. <br />The strcpy() of Web! <br />Exploits your trust on the site.<br />Types: <br /><ul><li>Reflected (One Time; More Common; Less Dangerous)
Persistent (Recurring; Less Common; More Dangerous)
DOM Based (Local; Rare)</li></li></ul><li>./impact<br /><ul><li>Change your University website to a porn megastore.