Key takeaways

• You will learn about the different attack mechanisms behind XSS and what makes each of them dangerous.
• You will discover why avoiding script injection is not enough, as an attacker might hurt your users by injecting HTML, CSS or malicious images.
• You'll get a glimpse into the weird ways browsers might open up themselves for attacks by trying to be helpful.
• The talk will help you reevaluate what you consider user input through the example of blind XSS.

XSS is one of the most well known attacks on the web, perhaps second only to SQL injection. While the general idea behind it is relatively simple, due to the colorfulness of the web and the quirks of the browsers it has a surprising depth to it. In this talk we'll journey deep down the rabbit hole of XSS attacks and take a look at all the weird ways malicious inputs may hurt our users, from the non-JS based injections (CSS, HTML, image) through mXSS, up to blind XSS.