Web Directions Safe ’21 session spotlight–Eliminating XSS by adopting Trusted Types
Eliminating XSS by adopting Trusted Types
Year after year, Cross-Site Scripting (XSS) continues to be the most expensive type of web vulnerability found in bug bounty programs. The most common variant of XSS occurs on the client side, when untrusted user input is passed to dangerous DOM APIs.
Trusted Types is a novel web browser API designed to eliminate DOM-based XSS. It locks down dangerous DOM sinks, asking developers to prove that input is safe by using an appropriate security policy to avoid triggering a Trusted Types violation. Analyzing results from Google’s Vulnerability Reward Program, it has been shown to prevent at least 61% of DOM-based XSS that Google’s static code analysis pipeline missed.
In this talk Bjarki Ágúst Guðmundsson shows how web applications can significantly strengthen their security posture against DOM-based XSS by adopting Trusted Types, as well as the steps required to identify, fix, and prevent future Trusted Types violations.
Bjarki Ágúst Guðmundsson
Bjarki has a strong technical background in computer science, having started at an early age developing websites. He holds an M.Sc. in Computer Science and a B.Sc. in Discrete Mathematics from Reykjavík University, with a short academic career resulting in several peer-reviewed publications and talks on international conferences, both in the field of Computer Science and Mathematics. Bjarki previously worked as an information security consultant, performing everything from application assessments to real-world attack simulations. At Google, Bjarki carries out security hardening of application frameworks, develops inherently secure APIs, and compiler guards that guide developers to these APIs.
In 2022 we have a whole series of events for Front End Developers
Across 2022 Web Directions is presenting our series of online conferences for front end designers and developers. Focussed deep dives, they go far beyond what you might expect from conference programs.
Priced individually from $195, or attend all 6, plus get access to our conference presentation platform Conffab for just $595, or $59 a month.
Great reading, every weekend.
We round up the best writing about the web and send it your way each Friday.