Loading…
Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
View analytic
Friday, August 23 • 11:15am - 12:00pm
Insane in the IFRAME -- The case for client-side HTML sanitization

Sign up or log in to save this to your schedule and see who's attending!

Server-side HTML sanitization is a familiar web application building block, yet despite years of offensive security research, defensive “sanitizer science” is still a kind of voodoo magic. This talk will make the case that as server-side HTML sanitizers lack the ability to effectively simulate every potential user agent, the client itself is the only party empowered to perform accurate sanitization. We will examine the DOM API primitives required to perform such client-side sanitization and review results and learning from a prototype implementation.

Bio:
David Ross is a Principal Security Software Engineer on the MSRC Engineering team at Microsoft. Prior to joining MSRC Engineering in 2002, Ross spent his formative years on the Internet Explorer Security Team.

Speakers
avatar for David Ross

David Ross

Microsoft
David Ross is a Principal Security Software Engineer on the MSRC Engineering team at Microsoft. Prior to joining MSRC Engineering in 2002, Ross spent his formative years on the Internet Explorer Security Team.


Friday August 23, 2013 11:15am - 12:00pm
Großer Saal