WEBVTT - This file was automatically generated by VIMEO 1 00:00:00.700 --> 00:00:03.900 Welcome to the third and last part of cross-site scripting session. 2 00:00:03.300 --> 00:00:06.600 In this part. We will discuss cross-site, scripting 3 00:00:06.600 --> 00:00:09.300 mitigation. We will start discussing what makes 4 00:00:09.300 --> 00:00:12.300 an application vulnerable. And then we will handle ask Juice 5 00:00:12.300 --> 00:00:15.500 Shop, vulnerable source code. Before closing, this session. 6 00:00:15.500 --> 00:00:19.500 We will discuss how to avoid such vulnerabilities applications 7 00:00:18.500 --> 00:00:21.800 tend to accept data from external sources 8 00:00:21.100 --> 00:00:24.600 either user input or integrated third-party 9 00:00:24.600 --> 00:00:27.200 services. If such data is included in 10 00:00:27.200 --> 00:00:29.900 HTML responses without proper validation, and 11 00:00:30.200 --> 00:00:33.400 And escaping, then the application might be vulnerable. If 12 00:00:33.400 --> 00:00:36.400 you're using JavaScript Frameworks, or you have a single page 13 00:00:36.400 --> 00:00:39.400 application, which using save JavaScript apis to 14 00:00:39.400 --> 00:00:43.000 append, attacker controllable, data to the Dom, then, 15 00:00:42.300 --> 00:00:46.300 your application should also be vulnerable. Let's 16 00:00:46.300 --> 00:00:47.800 have a look at the source code. 17 00:00:48.900 --> 00:00:51.100 From Project page, we will jump directly to the 18 00:00:51.100 --> 00:00:52.000 GitHub repo. 19 00:01:01.100 --> 00:01:04.300 Since we are dealing with client access, then we should look 20 00:01:04.300 --> 00:01:06.200 inside the front end source, code folder. 21 00:01:19.300 --> 00:01:22.800 We are interested in something search related. 22 00:01:34.700 --> 00:01:37.200 This script has all the search Logic. 23 00:01:56.600 --> 00:01:59.400 This is the search component class, which has 24 00:01:59.400 --> 00:02:00.500 several properties. 25 00:02:03.400 --> 00:02:06.300 This property should hold Search keywords. Let's 26 00:02:06.300 --> 00:02:07.500 see where it is used. 27 00:02:21.900 --> 00:02:24.600 Query parameter is passed to the bypass security, 28 00:02:24.600 --> 00:02:27.900 trust HTML method implemented by the sanitizer. 29 00:02:39.200 --> 00:02:41.400 It is provided by the Dom sanitizer. 30 00:02:51.900 --> 00:02:54.900 Thompson advisor is part of the angular framework. 31 00:02:54.100 --> 00:02:56.600 Let's check the documentation. 32 00:03:20.200 --> 00:03:23.300 We should be at the right place. Let's find the method we're looking 33 00:03:23.300 --> 00:03:23.800 for. 34 00:03:56.600 --> 00:03:59.100 Now we know why the script didn't trigger the model. 35 00:04:01.900 --> 00:04:04.500 The image date because it is considered safe 36 00:04:04.500 --> 00:04:06.300 HTML by this method. 37 00:04:10.200 --> 00:04:13.500 Of course, this method is used intentionally to make the application 38 00:04:13.500 --> 00:04:16.300 vulnerable, but mistakes. Like, this one are 39 00:04:16.300 --> 00:04:19.100 more common than you may think. Let's see how to 40 00:04:19.100 --> 00:04:22.700 mitigate xss. Choose. Well, tested 41 00:04:22.700 --> 00:04:26.100 and actively maintain Frameworks that automatically prevent 42 00:04:25.100 --> 00:04:27.700 access by default. 43 00:04:29.100 --> 00:04:32.400 All did such Frameworks to know, available options and 44 00:04:32.400 --> 00:04:33.500 their limitations. 45 00:04:34.600 --> 00:04:37.600 Always Escape data based on the context in the HTML 46 00:04:37.600 --> 00:04:40.500 output. It will be included, depending where 47 00:04:40.500 --> 00:04:43.400 the data will be displayed different scaping techniques may 48 00:04:43.400 --> 00:04:46.700 be required. In force, server-side that 49 00:04:46.700 --> 00:04:49.300 security directives are sent to clients. As 50 00:04:49.300 --> 00:04:52.900 part of responses, consider adding appropriate security, 51 00:04:52.900 --> 00:04:55.200 others enabling and 52 00:04:55.200 --> 00:04:58.500 enforcing a restrictive content, security policy will help 53 00:04:58.500 --> 00:05:01.300 mitigating X access as long as there is no 54 00:05:01.300 --> 00:05:03.800 other exploitable vulnerability to add. 55 00:05:03.900 --> 00:05:06.500 Malicious code, in our next 56 00:05:06.500 --> 00:05:10.200 session. We will discuss insecure deserialization until 57 00:05:09.200 --> 00:05:12.300 then take your time to carefully. Read 58 00:05:12.300 --> 00:05:14.900 the cross-site. Scripting section of a wasp, top 10.