This event has ended. Visit the official site or create your own event on Sched.
One Track
Lots of Flavor
Back To Schedule
Wednesday, April 17 • 1:45pm - 2:30pm
Trusted types & the end of DOM XSS

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

18 years have passed since Cross-Site Scripting (XSS) has been identified as a web vulnerability class. Since then, numerous efforts have been proposed to detect, fix or mitigate it. We've seen vulnerability scanners, fuzzers, static & dynamic code analyzers, taint tracking engines, linters, and finally XSS filters, WAFs and all various flavours of Content Security Policy.

Various libraries have been created to minimize or eliminate the risk of XSS: HTML sanitizers, templating libraries, sandboxing solutions - and yet XSS is still one of the most prevalent vulnerabilities plaguing web applications.

It seems like, while we have a pretty good grasp on how to address stored & reflected XSS, "solving" DOM XSS remains an open question. DOM XSS is caused by ever-growing complexity of client-side JavaScript code (see script gadgets), but most importantly - the lack of security in DOM API design.

But perhaps we have a chance this time? Trusted Types is a new browser API that
allows a web application to limit its interaction with the DOM, with the goal of obliterating
DOM XSS. Based on the battle-tested design that prevents XSS in most of the Google web applications, Trusted Types add the DOM XSS prevention API to the browsers. Trusted Types allow to isolate the application components that may potentially introduce DOM XSS into tiny, reviewable pieces, and guarantee that the rest of the code is DOM-XSS free. They can also leverage existing solutions like autoescaping templating libraries, or client-side sanitizers to use them as building blocks of a secure application.

Trusted Types have a working polyfill, an implementation in Chrome and integrate well with existing JS frameworks and libraries. Oddly similar to both XSS filters and CSP, they are also fundamentally different, and in our opinion have a reasonable chance of eliminating DOM XSS - once and for all.

avatar for Krzysztof Kotowicz

Krzysztof Kotowicz

Software Engineer, Google LLC
Krzysztof Kotowicz is a web security researcher specialising in discovery and exploitation of client-side vulnerabilities, and a software engineer in the Information Security Engineering team at Google. Speaker at various security conferences (ACM CCS 2017, Black Hat USA 2017, Owasp... Read More →

Wednesday April 17, 2019 1:45pm - 2:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Attendees (24)