Has anyone done usability studies with developers on why vulns like XSS are so common? Which changes to the languages/tools affect the probability of the vulnerability appearing the most? Can you make a language that’s extremely hard for humans to write bug-free programs in?
-
-
Replying to @DefuseSec
Y'know how SQL injection stops prepared statements in a provably secure way (because the query string and parameters are sent in separate packets)? We don't have that for XSS prevention. HTML documents may have executable code included like it or not.
3 replies 1 retweet 4 likes -
Replying to @SoatokDhole @DefuseSec
DOM operations do that (eg. load template, fill with user-data using .innerText)
1 reply 0 retweets 1 like -
Replying to @mik235 @DefuseSec
Yeah, the only question is: How to get the entire Internet to transition to use DOM operations?
1 reply 0 retweets 0 likes -
Replying to @SoatokDhole @DefuseSec
There's some minor changes to Polymer that get you there (strict url type needed). Soy strict templates also do, and can be rendered server side.
@arturjanc might have more examples/details.1 reply 0 retweets 0 likes -
tl;dr: https://schd.ws/hosted_files/appseccalifornia2016/f0/AppSec-PreventingSecurityBugsThroughSoftwareDesign-ChristophKern.pdf … XSS is endemic because you introduce it by default when including user-controlled data in markup or in any number of common DOM APIs (innerHTML, location.href = ..., etc). Solving it in the platform requires safe HTML template systems and DOM APIs.
1 reply 0 retweets 1 like
For making DOM APIs safe, see https://github.com/WICG/trusted-types … (+@koto). For provably safe server-side markup generation, a good reference is https://ai.google/research/pubs/pub42934 …
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.