The Open Web Application Security Project (OWASP) has compiled a Top Ten list of security vulnerabilities every few years since 2003. One specific vulnerability has persistently appeared on every list: Cross-Site Scripting (XSS) aka the injection of malicious JavaScript. JavaScript is quickly becoming the most popular –– or possibly most used –– programming language in the world; more developers and tools are joining the ecosystem every day.
Despite over 10 years of awareness through highly visible exploits and education through OWASP Top Ten, despite thousands of new and experienced developers entering the field of JavaScript over that decade, and despite fancy new tools and frameworks meant to protect us from XSS, how can XSS really have raised in rank on the vulnerability list?
In this presentation, I'll break down how XSS works in theory and in practice, what the OWASP Top Ten is and why it's important, tell some stories about notable exploits over the last 10 years, and demonstrate some lesser-known vulnerabilities in client-side rendering libraries like Angular, Vue, and even React that bite developers practically every day.
Comments managed via https://giscus.co