Presentations‎ > ‎

Got Your Nose! How to Steal Your Precious Data Without Using Scripts




Cross Site Scripting techniques and quirky JavaScript have received a lot of attention -- thus more and more ways to get hands on this
threat are being developed and practiced: Security aware people simply switch JavaScript off, developers use sand-boxed IFrames and CSP to protect their applications and NoScript, XSS filters and HTMLPurifer do a great job in keeping people from getting "XSS'd". But what about attacks in the browser that don't require any scripting at all -- but still steal your precious data, right before you know it? What about attacks so sneaky and sophisticated or just simple, even your best Anti-XSS solution won't prevent them? Attacks, that don't use any scripting -- but fierce markup tricks from outer space? This talk will introduce and discuss those kinds of attacks, show how attackers steal plain-text passwords, read CSRF tokens and other sensitive data and create self-spying emails and worse without executing a single line of JavaScript. Deactivating scripts and eliminating XSS as a good level of protection? Not anymore!