Fixing XSS With Content Security Policy - Ksenia Dmitrieva - OWASP AppSec California 2015
Merhaba Sevgili Ziyaretçilerimiz;
NetBufe.Com Kazanç amacıyla kurulmamış ve ücretsiz yararlanılan bir sitedir. Video içeriklerinde yer alan reklamlar ile NetBufe.Com sitesinin hiçbir menfaat bağlantısı söz konusu olmayıp ilgili reklamlar videonun yüklü olduğu siteler tarafından veya videoların yüklü olduğu sitelere yüklemeyi yapan kişilerce eklenmiş reklamlardan ibarettir.
Videoların paylaşıma açıldığı sitelerde yüklü videolar/video linkleri herhangi bir nedenle kaldırıldığında ve/veya kısıtlandığında/yasaklandığında sitemizde de ilgili videonun gösterimi otomatik olarak son bulmaktadır.
Telif Hakkı(Copyright Notice) Olabilecek Açık Kullanım İzni Verilmemiş Video Materyaller Hakkında Önerimiz İlgili Videoyu İzlemeyerek(Bu Yönde Materyallerin İzlenmesine Destek Vermeyerek), Resmi Olarak Satın Alıp İzlemeniz Yönündedir.
Tarafımızdan Üyelerimizin sayfamız üzerinde ayrıntılı olarak yer alan tüm bu durumlara ilişkin bilgi ve gerekleri okuyup anladıkları ve kabul ettikleri varsayılmaktadır.
Sitemize ücretsiz ve kolayca üye olarak birçok video paylaşım sitelerindeki kendi videolarınızın linklerini ekleyebilir, Sık Kullanılanlar ve Çalma Listelerinize kaydedebilir ve üye olmanın diğer tüm ayrıcalıklarından üye sosyal alanınızda yararlanabilirsiniz. Video Linkleri Ekleyebileceğiniz Örnek Bazı Siteler
NetBufe.COM
Açıklama
AppSec California 2015 - Day 1, Track 3, Slot 1
Title
Fixing XSS with Content Security Policy
Abstract
“Cross-site scripting (XSS) has been dominating OWASP Top 10 for many years. Although input validation and output encoding are good traditional defenses against XSS, it is often difficult to ensure that they are used in all required places in large applications. Content Security Policy (CSP) is a promising new HTML5 feature that can help prevent traditional and DOM-based XSS on your website. If you keep dynamic data and static code separate, you can have conforming browsers enforce your CSP to ensure that the data never gets interpreted as code. The intricacies of the technology are in how CSP policies are combined and what limitations they place on web development.
The first version of CSP, which is supported by most modern browsers, requires complete separation of JavaScript (static code) from HTML (which contains dynamic data). This is not feasible for large existing web applications as it can require completely rewriting the user interface. CSP 1.1 introduces new keywords that can be used to apply policies to existing code bases without requiring a re-write from scratch. The talk will help the audience understand:
• What the differences between CSP 1.0 and CSP 1.1 are, and what these mean for web application developers?
• How CSP protects web applications from cross-site scripting?
• Whether input validation and output encoding are necessary if CSP is used properly.
• What is the different browser support for this technology?
• How you can get started with using CSP on your website?”
Bio
Ksenia Dmitrieva is a Senior Security Consultant at Cigital with over six years of experience developing and securing web applications. Ksenia holds a M.S. in Computer Science from George Washington University. As a Senior Consultant, she performs penetration testing and code review focusing on web applications, web services, new web technologies and frameworks for clients in financial services, entertainment, telecommunications, and enterprise security industries. Ksenia’s current concentration is on researching HTML5 technologies, their security implications and how their vulnerabilities could be discovered and remediated. Ksenia often delivers training sessions and has previously presented at Nullcon, BSides Security London, and LASCON.
-
Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
Yorum Yazınız
![Evanescence - Going To California [HD Live] - 11.13.2015 - Marathon Music Works - FRONT ROW](https://i.ytimg.com/vi/_uZ_edDXs2I/hqdefault.jpg)
