Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
Back To Schedule
Thursday, August 22 • 5:35pm - 6:20pm
The innerHTML Apocalypse - How mXSS attacks change everything we believed to know so far

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

This talk introduces and discusses a novel, mostly unpublished technique to attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its often unknown capabilities - every single one of them.
We analysed the type and number of websites that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to be understood and researched even further.
The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.


Mario Heiderich

Mario (@0x6D6172696F) Heiderich, heart-breaker, bon vivant and co-organizer of this track will cover them mXSS attacks - HTML injections that break each and every HTML filter and show how hard it is to really effectively protect against XSS exploits if browsers are buggy.

Thursday August 22, 2013 5:35pm - 6:20pm CEST
Aussichtsreich Emporio