BSides is coming to Kosovo. Bishop Fox is proud to be a Leading Sponsor at the very first BSides Prishtina event taking place at the University of Prishtina in Kosovo. Bring your friends and meet new ones. Learn about new hacking tools and techniques from the best in the security community. Stop by the Bishop Fox table to say hi to our team, get the insider view of what it’s like to work in the Fox Den, and pick up some cool swag. We look forward to meeting you.

Admission to BSides Prishtina is free…and so are the snacks. Register here.

Session

Topic: LeXSS - Bypassing Lexical Parsing Security Controls

Presenter: Chris Davis

Abstract:

This talk will cover a technique to exploit cross-site scripting (XSS) in instances where lexical parsers are used to nullify dangerous content such as WYSIWYG editors. Chris will review how HTML is parsed at a deep level with a focus on context state and foreign content. Attendees will learn how rich-text editors parse data and how we can abuse knowledge of HTML parsing to exploit them. Two test cases in widely used editors will be shown, in addition to how this technique led to XSS in an estimated 700k+ websites. The presentation will also cover how this technique can be repeated for other researchers/pen testers. This research was a nominee for PortSwigger's Best Web App Hacking Technique 2021.

View Chris' presentation