Learn how a JSMVC can make a web application vulnerable and facilitate an attacker objective

[pi3ch]

Talk Date 5th March (follow up talks later, depending on the interest)

Talk Title Client-side Template Injection (CSTI)

Length 20min (this a long talk, was asked by Jess to make an intro this time around)

Twitter-sized Overview (140 characters) Learn how a JSMVC can make a web application vulnerable and facilitate an attacker objective

Detailed Overview Browsers' security controls, backend security libraries and HTTP response security headers have made it very difficult to exploit common security vulnerabilities (yes, you know it, XSS!). However, a trend of insecure usage of JSMVCs has flipped the coin to an attacker advantage. The attacker can misuse rich functionalities brought by a JSMVC to bypass security controls. In this presentation/workshop I will elaborate one of the frontend security vulnerabilities classes, i.e. Client-Side Template Injection (CSTI) and demonstrate how a real-word attack can happen. I will conclude my presentation on best-practices to effectively protect our applications against CSTI.

Bio: I am a security instructor and consultant at elttam (https://elttam.com.au) by day. Founder of SecTalks (https://www.sectalks.org) community by night. I have been teaching security training courses to developers and doing security assessments for quite many years.

[jesstelford]

Excellent - We'll schedule you in for this Monday, March 5th 👍