heisenbug Heisenbug 2019 SPb (17.05.2019)

Successfully detecting XSS vulnerabilities

img

Ivan will tell what XSS vulnerability is, share his own technique of detecting it, explore potentially vulnerable parts of web applications and show how to create a generic payload to successfully detect XSS.

XSS vulnerabilities are very common and highly dangerous web application security bugs. 10 out of 10 web applications are susceptible to XSS attacks, one way or another. A tester’s task is to find these bugs faster than an intruder.

In this talk, Ivan will tell what this vulnerability is and share his own technique of detecting it. Using this technique, for the last year he found 54 XSS bugs through bug bounty programs. Some of these bugs were found in the products of large companies, such as Mail.ru, Yandex, Qiwi, etc. He’ll explore potentially vulnerable parts of web applications and show how to create a generic payload to successfully detect XSS. He’ll also show what similar vulnerabilities you can look for in your web applications.

This talk would be useful to testers who want to start testing security or already are testing it and want to level up.