Back To Schedule
Friday, May 22 • 14:30 - 15:15
Finding Bad Needles On A Worldwide Scale

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Using automated web security scanners is an indispensable part of security program for any large web site.  Web security and specifically XSS scanning remains a hard and interesting problem.  In this talk, I will detail our experience of maintaining and developing the Yahoo-wide XSS scanning system over the last years, mistakes made, lessons learned, and progress achieved, leading into a discussion of the current ongoing work.  We will explore the challenges and solutions related to the scanner accuracy and the requirement of a low (near-zero) level of false positives which is crucial for a usable large-scale system.  I will demo Contextdetect - our novel method of using Go-based HTML5 and JavaScript parsers to verify XSS findings, as well as our recently open-sourced Webseclab - a set of scanner XSS tests


Friday May 22, 2015 14:30 - 15:15 CEST
Room E106 & E107 Amsterdam RAI

Attendees (0)