JSFoo 2013

All about being creative with JavaScript

Lavakumar Kuppan


Oh no, there is a XSS in your JS. Understanding, Identifying and Avoiding DOM Based XSS.

Submitted Aug 23, 2013

To introduce DOM Based Cross-site Scripting which is the most serious and prevalent JavaScript security issue at present and explain how it can be identified and avoided.


Cross-site Scripting is one of the most common and widely known security vulnerabilities but what is not very well know is that Cross-site Scripting vulnerabilities can occur on the client-side due to insecure JavaScript code.

In 40 minutes you will learn:

  1. How XSS can occur in JavaScript

  2. The different variations of DOM based XSS

  3. How DOM based XSS can be detected with available tools

  4. Best ways to avoid and mitigate DOM based XSS in your code

If you are a JavaScript developer who does not understand this security threat then you run the risk of putting your user’s data in danger. Don’t let that happen!

Speaker bio

Lavakumar is the founder of the IronWASP project, the advanced Web Security Testing Platform. He has authored multiple security tools like HAWAS, ‘Shell of the Future’, JS-Recon, Imposter and the HTLM5 based Distributed Computing System - Ravan. As a security researcher he has discovered several novel attacks that include a sandbox bypass on Flash Player, WAF bypass technique using HTTP Parameter Pollution, multiple HTML5 attacks and a CSRF protection bypass technique using CickJacking & HPP which was voted by peers and experts as the 5th best ‘web security hack’ of 2010. His works have been covered by leading media portals including the Forbes. All his research and tools are available at the Attack and Defense Labs website. He also maintains the HTML5 Security Resources Repository website. He has spoken at multiple conferences like BlackHat, OWASP AppSec Asia, SecurityByte, ClubHack, NullCon etc on topics ranging from browser exploitation to HTML5 Security. He is also the recipient of the Black Shield Luminaire award.


{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

JSFoo is a forum for discussing UI engineering; fullstack development; web applications engineering, performance, security and design; accessibility; and latest developments in #JavaScript. Follow JSFoo on Twitter more