Another talk looked at sanitation tools in popular web frameworks (PHP, django and so on) - the more traditional approach. All can do basic HTML sanitation but once you consider different contexts - URIs for example
<a href="$target" />when
Some authors looked at cross-site scripting in the context of scripts that are embedded in the page and thus don't fall under the same-origin policy (some advertisements, for example) but still shouldn't have access to all the page. Here the authors proposed a scheme in which each script runs in a "world" and can only access parts of the page/DOM that are declared writable in this world.
Yet another approach is client-side protection against cross-site requests as demonstrated by the authors of the CsFire firefox extension. The basic idea is to strip cookies from all requests that cross domain boundaries, thus defeating many attacks.
Some scenarios like single sign-on or delegated payment (think PayPal) require requests to pass between two domains with correct cookie handling but only when the delegated site returns control to the delegator - so CsFire allows them in this case only.
The day finished with a reception hosted by the mayor of Leuven.
Post a Comment