Worried about your BIG-IP devices? We've got a scanner for that. LEARN MORE ›

Meet Us in Europe! Bishop Fox to Sponsor and Present at BSides Prishtina

Date & Time:
Past Event
Location:
University of Prishtina, Kosovo
BSides Prishina Logo

BSides is coming to Kosovo. Bishop Fox is proud to be a Leading Sponsor at the very first BSides Prishtina event taking place at the University of Prishtina in Kosovo. Bring your friends and meet new ones. Learn about new hacking tools and techniques from the best in the security community. Stop by the Bishop Fox table to say hi to our team, get the insider view of what it’s like to work in the Fox Den, and pick up some cool swag. We look forward to meeting you.

Admission to BSides Prishtina is free…and so are the snacks. Register here.

Session

Topic: LeXSS - Bypassing Lexical Parsing Security Controls

Presenter: Chris Davis

Abstract:

This talk will cover a technique to exploit cross-site scripting (XSS) in instances where lexical parsers are used to nullify dangerous content such as WYSIWYG editors. Chris will review how HTML is parsed at a deep level with a focus on context state and foreign content. Attendees will learn how rich-text editors parse data and how we can abuse knowledge of HTML parsing to exploit them. Two test cases in widely used editors will be shown, in addition to how this technique led to XSS in an estimated 700k+ websites. The presentation will also cover how this technique can be repeated for other researchers/pen testers. This research was a nominee for PortSwigger's Best Web App Hacking Technique 2021.

View Chris' presentation


Chris davis

About the speaker, Chris Davis

Senior Security Consultant

Chris Davis is a Senior Security Consultant at Bishop Fox. His areas of expertise are application penetration testing (static and dynamic) and external network penetration testing.

Chris actively conducts independent security research and has been credited with the discovery of 40 CVEs (including CVE-2019-7551 and CVE-2018-17150) on enterprise-level, highly distributed software. The vulnerabilities he identified included remote code execution and cross-site scripting (XSS).
More by Chris

Ready to get started? We can help.

Contact Us

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.