Two keys components account for finding vulnerabilities of a certain class: awareness of the vulnerability and ease of finding the vulnerability. Cross-Site Script Inclusion (XSSI) vulnerabilities are not mentioned in the de facto standard for public attention - the OWASP Top 10. Additionally there is no public tool available to facilitate finding XSSI. The impact reaches from leaking personal information stored, circumvention of token-based protection to complete compromise of accounts. XSSI vulnerabilities are fairly wide spread and the lack of detection increases the risk of each XSSI. In this talk we are going to demonstrate how to find XSSI, exploit XSSI and also how to protect against XSSI.
Presented at Security Fest 2016.Speaker: Veit Hailperin
Veit Hailperin is a security researcher and consultant at scip AG. They are based in Zürich, Switzerland with clients covering a wide range, from non-profit organizations and governmental agencies to banks and insurance companies. His research interests are focused on network and application layer security.