Cross-site scripting issues remain a big problem of the web: using a combination of big data mining and relatively simple detection methods, we have identified attackers successfully exploiting XSS flaws on over 1,000 vulnerable pages on hundreds of websites, spanning multiple countries, types of organizations, all major TLDs, and well known international companies. We also found numerous malicious attacks of different severity leveraging existing XSS vulnerabilities.
In this talk first we summarize our findings, presenting both unusual cases and various statistics, and then we follow up with present state-of-the art methods of protection from probing for XSS vulnerabilities and XSS attacks, showing that they are capable of intercepting over 95% of the real-world malicious samples. We will also introduce a new research tool called detectXSSlib, which is a lightweight module for nginx server dedicated to real-time detection of XSS attacks.
Greg Wroblewski, PhD, CISSP, is a senior security researcher at Microsoft’s Trustworthy Computing Security group. Over the last 9 years he worked in many areas of security response, presenting at Black Hat USA 2007 and 2012. At Microsoft he focuses on security problems in on-line services, detection of attacks and pentesting. In the past he was responsible for the technical side of patches in over 50 Patch Tuesday bulletins as well as hardening of products like Windows and Office. Recently he lead development effort to port ModSecurity module to IIS and nginx servers.
Ryan C. Barnett is a Lead Security Researcher on Trustwave's SpiderLabs Research Team where his focus is web application defense. In addition to working with Trustwave, he is a Web Application Security Consortium (WASC) Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects. He also serves as the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett is a frequent speaker at security industry conferences such as Blackhat and has also authored two Web security books including the Web Application Defender's Cookbook: Battling Hackers and Protecting Users.