San Francisco, California
London, United Kingdom
This talk introduces and discusses a novel, mostly unpublished technique to attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its often unknown capabilities - every single one of them.
We analyzed the type and number of websites that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to be understood and researched even further.
The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
When & Where
- OWASP: https://www.owasp.org
- OWASP Helsinki: https://www.owasp.org/index.php/Helsinki