Cross-site scripting defense and attacks

Cross-site scripting (XSS) examples often cover trivial exploitation examples and fail to describe the proper methods for correcting the issues. Although alert boxes are certainly impressive, they do not scratch the surface of what cross-site scripting can do to a victim. Software testers can use JavaScript payloads for website defacement, reading web page information, reading cookie values, redirection, and frame injection to Metasploit to illustrate the risks much more effectively than displaying pop-ups. This presentation also covers using Browser Exploitation Framework (BeEF) to automate these tasks and more. Standard remediation advice often falls short of fully remediating the issue. Proper encoding, as the OWASP cross-site scripting prevention checklist describes, is the appropriate method for remediating cross-site scripting vulnerabilities.

Bio: Stephen Deck is a Senior Security Consultant with DirectDefense where he focuses on application security testing and code security reviews. Stephen worked as an Army infantry officer for four years and 15 years in the Information Technology field. During his time in IT, he worked in the penetration testing, security engineering, incident response, and software development fields. Stephen holds 13 information security certifications including the GSE, OSCE, and CISSP.