A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Securing the DOM from the Bottom Up - Mike Samuel BSides Cleveland 2019 (Hacking Illustrated Series InfoSec Tutorial Videos)

Securing the DOM from the Bottom Up
Mike Samuel


18 years have passed since Cross-Site Scripting (XSS) became the single most common security problem in web applications. Since then, numerous efforts have been proposed to detect, fix or mitigate it, but these piecemeal efforts have not combined to make it easy to produce XSS-free code. This talk explains how Google's security team has achieved a high-level of safety against XSS and related problems by integrating tools to make it easier for developers to produce secure software than vulnerable, and to bound the portion of a codebase that could contribute to a vulnerability. We will show how this works in practice and end with advice on how to achieve the same results on widely-used, open-source stacks and new browser mechanisms that will make it much easier to achieve high-levels of security with good developer experience.

Mike Samuel works on Google's technical infrastructure team improving libraries and programming languages to make it easier to produce secure & robust software. Mike has worked on JavaScript sandboxing, the Secure EcmaScript and other language committee proposals, making template languages XSS-free, tweaking linkers to check system security properties, and providing end-to-end security via safe contract types. He is currently investigating full-stack security. Mike has previously spoken at various security and developer conferences Including ACM CCS, Ajax Experience, Google I/O, JavaOne, Linux Foundation OSLS, OWASP Research, JSConf EU, Node Summit, and Nordic JS. ---- Krzysztof Kotowicz is a web security researcher specialising in discovery and exploitation of client-side vulnerabilities, and a software engineer in the Information Security Engineering team at Google. Speaker at various security conferences (ACM CCS 2017, Black Hat USA 2017, Owasp AppSec EU 2017, Nullcon 2016, Owasp AppSec Europe 2013, Black Hat USA 2012), member of the Google Vulnerability Reward Program panel, author of various web security attack techniques & security tools. Previously an avid fan of XSS, now he just wants to get rid of that security bug - once and for all.

Back to BSides Cleveland 2019 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast